Configuring the switch user HTML form

Edit online

WebSEAL provides a default HTML form that the administrator accesses to use the switch user function. The default form can be used without modification. Optionally, you can edit the form for customized appearance and functionality.

About this task

This step is optional.

The default form is named switchuser.html. You can modify the name of this file.

You can use the LMI to access this file in the management/lang directory. The value of the lang directory is specific to the locale. For example, the lang directory for a US English locale is called "C".

Form contents

The form contains requests for:

  • User name

    The name of the user whose credentials the administrator wants to access.

  • Destination URL

    This page displays after a successful switch user operation.

  • Authentication method

    The authentication method stanza entries specify which authentication mechanism WebSEAL uses to build the user credential.

Each of these entries is required. WebSEAL verifies that all required data is present in the submitted form. If data is missing, the form is returned to the administrator with a descriptive message. When all required data is present, WebSEAL submits data from the switch user form data to the /pkmssu.form action URL.

By default the switch user function is enabled. It can be disabled by setting [acnt-mgt]switch-user-enabled = false.

Note: Only members of the su-admins group can invoke the form. An ACL is not required on this file. WebSEAL performs an internally hardcoded group membership check. WebSEAL returns a 404 "Not Found" error when the group membership check fails. Also, when switch user is disabled, WebSEAL returns a similar error for all users regardless of their group membership.

Customizing the HTML form

To customize the switch user form, open the form for editing, and complete the following steps:

Procedure

  1. Specify the location and contents of the destination URL. You can configure this URL as hidden input, which contains an appropriate home page or a successful switch user confirmation page.
  2. Specify the authentication methods. You can configure this field as hidden input. Valid values for the authentication method include:su-ba su-forms su-certificate The methods in this list map directly to authentication mechanisms specified in the WebSEAL configuration file. Note, however, that the su-ba > su-forms methods both map to the su-password authentication mechanism. Both basic authentication (ba) and forms authentication (forms) use the su-password authentication module. Note that a WebSEAL deployment can support basic authentication without supporting forms authentication. Therefore separate configuration values are maintained for each authentication type (su-ba > su-forms).