Impersonate users with Keycloak

This feature allows an authorized user to impersonate another user. This is known as impersonating or impersonating users.

Usage

In the integrated user administration the impersonation can be triggered via the button on the respective user. This immediately logs you in as this user.

impersonate bpc 1

Alternatively, this can also be activated from the user administration in Keycloak.

Keycloak configuration

In order for the impersonation to be carried out, adjustments must be made in Keycloak and in the BPC.

Activation of the necessary feature

The so-called Token Exchange Service feature (ID: token-exchange) must be activated. Otherwise the error Feature not enabled occurs.

If you want to prevent the impersonation of certain users (see Restrict impersonation), you must also activate the Fine-Grained Admin Permissions feature (ID: admin-fine-grained-authz).

You can find out how to activate the feature in the Keycloak documentation.

Authorizations

The authorizations required for this function can be found under Keycloak authorizations.

Enable recognition of impersonation

In order for the BPC to recognize that a user is impersonating another user, the transfer of this information must be set up. To do this, add suitable mappers to one of the client scopes used (e.g. profile). These can be added at Mappers via Add mapperFrom predefined mappers.

impersonate add mapper
Illustration 1. Add mapper

The following mappers must be added:

  • Impersonator Username

  • Impersonator User ID

If these mappers are set, information about who is imitating the current user is stored in the user session.

If this is not configured, the BPC cannot recognize that a user is being impersonated. This would result in the BPC audit log not recognizing that a user has been impersonated.

Restrict impersonation

Please note that users who impersonate other users also receive their authorizations. This may result in an unintentional extension of rights.

To prevent this, you can influence who is allowed to impersonate whom in the keycloak. To do this, the corresponding feature (see Activation of the necessary feature) must be activated. Then proceed as follows in the Keycloak:

  • Create a role.

  • Create a client policy of type Role at the client realm-management

    • Add the role created first to the policy and activate the checkbox Required field

    • The setting at Logic is decisive.

      • Positive- Members of this role can be impersonated, users without this role cannot

      • Negative- Members of this role cannot be impersonated, users without this role can

    • Activate in the user list Permissions

    • Select from the list user-impersonated

    • Select the previously created policy in the permission and save the changes

See also the Keycloak documentation.

BPC authorizations

The required authorizations are described on the User administration / Identity Manager page.

Keywords:
Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen