Impersonate

The SEMINE Identitiy Provider supports issuing a token on behalf of a target user in a target organization. In effect, this will allow a impersonator user to log in as a target user, receiving identical access and permissions as that user. Any actions performed by the impersonator will be logged under the target user name.

Technically, this is done by calling the GET /impersonate endpoint. The caller needs to pass the usercode or secondaryCode of the target user to be impersonated. The endpoint checks if the user has CanImpersonate permission to get an impersonated token for the given user.

Requirements

• A user with impersonator role for a given organization
• A target user which is a direct member of the same organization

Procedure

1. Gaining impersonator access
   
   1. As an administrator, in the target organization. Create an access group with the role "Impersonator" on Organization level.
      See: How to Create Groups
      
      
      
   2. Add the impersonator user to that access group.
      See: Groups - Roles for further details.
      
      
2. Logging in as impersonator
   Log in ( https://login.semine.no/connect/token ) as the impersonator user
   with scope set to semine IdentityServerApi
   This will return a token that can be used in the following GET .../impersonate request
   
   
3. Getting the token for impersonation
   1. Check that the target user has "code" or "secondaryCode" filled in.
      
      
      1. Alternative 1: Checking target user properties via integration API
         As a user with the integration role, you can run the following to get user details via the integration API.
         
         GET https://api.semine.no/api/v1.0/organizations/{{organizationID}}/users
         
         
      2. Alternative 2: Checking target user via WebAPI
         Logged in as the target user, you can do this by running
         GET https://webapi.semine.no/api/v1.0/currentuser 
         Example response
         

         {
             "id": "5a9e0172-2951-4c25-86e2-*********",
             "firstName": "Target",
             "lastName": "User",
             "email": "TargetUser@*****.no",
           ...
             "code": "targetCode",
             "secondaryCode": "targetSecondaryCode",
           ...
         }

         
         
         
   2. As the impersonator, run the following get request to get the impersonator token for the target user.
      Note: The organization_ID must be the organization where the target user is a direct member.
      
      1. Using "code"
         GET https://login.semine.no/identity/{{organization_ID}}/impersonate?usercode=targetCode
         
         
      2. Using "secondaryCode"
         GET https://login.semine.no/identity/{{organization_ID}}/impersonate?usercode=targetSecondaryCode&usercodefield=SecondaryCode
         
         
   3. Response
      You should now get a impersonation token for the target user in return which will provide the same permissions and access as target user.
      
      
   4. Using this impersonation token, run GET https://webapi.testsemine.no/api/v1.0/currentuser to verify that the response now returns the target user.