Impersonating with claims from Access Management
When impersonating a Tridion Access Management user, you should use external claims obtained from Access Management.
Obtain claims from a secured Tridion web app
If your code runs in a web app that is already secured by Access Management, such as the Content Manager Explorer web app, the claims are readily available. In this case, you can obtain the claims from the Current Principal, for example, using HttpContext.Current.User.Identity.Claims.
Obtain claims from a custom web app
If you code runs in a custom web app that is not already secured by Access Management, then you need to obtain the claims that you want to use for impersonation from Access Management using the OpenID Connect protocol. As a prerequisite, your web app must be registered as an Application in Access Management.
Use the following steps to obtain claims:
- Initiate an OpenID Connect user authentication flow.
- Obtain an access token from Access Management.
- Obtain the set of user claims from Access Management.
This is all standards-based and you can use third-party libraries for authentication with Access Management.
Provide claims to WCF Core Service
To impersonate a user with the claims obtained from Access Management, call the ImpersonateWithClaims method. These claims are typically mapped in Content Manager to user groups, which in turn resolve to a set of user rights and permissions.