Configure the switch user HTML form
WebSEAL provides a default HTML form the administrator accesses to use the switch user function. The default form can be used without modification. Optionally, we can edit the form for customized appearance and functionality.
This step is optional.
The default form is named switchuser.html. We can modify the name of this file.
We can use the LMI to access this file in the management/lang directory. The value of the lang directory is specific to the locale. For example, the lang directory for a US English locale is called "C".
Form contents
The form contains requests for:
- User name
The name of the user whose credentials the administrator wants to access.
- Destination URL
This page displays after a successful switch user operation.
- Authentication method
The authentication method stanza entries specify which authentication mechanism WebSEAL uses to build the user credential.
Each of these entries is required. WebSEAL verifies that all required data is present in the submitted form. If data is missing, the form is returned to the administrator with a descriptive message. When all required data is present, WebSEAL submits data from the switch user form data to the /pkmssu.form action URL.
By default the switch user function is enabled. It can be disabled by setting [acnt-mgt]switch-user-enabled = false. Only members of the su-admins group can invoke the form. An ACL is not required on this file. WebSEAL performs an internally hardcoded group membership check. WebSEAL returns a 404 "Not Found" error when the group membership check fails. Also, when switch user is disabled, WebSEAL returns a similar error for all users regardless of their group membership.
Customize the HTML form
To customize the switch user form, open the form for editing, and complete the following steps:
Steps
- Set the location and contents of the destination URL.
We can configure this URL as hidden input, which contains an appropriate home page or a successful switch user confirmation page.
- Specify the authentication methods.
We can configure this field as hidden input. Valid values for the authentication method include:
su-ba su-forms su-certificate su-http-request su-cdsso
The methods in this list map directly to authentication mechanisms specified in the WebSEAL configuration file. Note, however, the su-ba > su-forms methods both map to the su-password authentication mechanism. Both basic authentication (ba) and forms authentication (forms) use the su-password authentication module. Note that a WebSEAL deployment can support basic authentication without supporting forms authentication. Therefore separate configuration values are maintained for each authentication type (su-ba > su-forms).
Parent topic: Configuration of switch user authentication