Add configuration to filter results in MFAAdmin based on logged-in user
This document is written for PhenixID Server.
The reader should have some basic knowledge about PhenixID Server.
This document describes how to add configuration to filter results in MFAAdmin based on attribute value from logged-in user.
Overview
During setup of MFAAdmin, an organizational unit is pointed out. All MFAAdmin users will by default have access to manage all users in the ou.
This document will describe how to add configuration to filter the results in MFAAdmin. By doing this, the logged-in user will only be able to manage the users in his/her ou.
During authentication, the attribute will be added to the session. During MFAAdmin search operations, the attribute value from the session will be fetched and added to the search filter.
Please make sure to have a backup copy of the configuration before adding the new settings.
Prerequisites
- MFAAdmin configured.
- MFA Admin users in different OUs. (This can be changed to suit your environment)
- OU value stored in adminDescription attribute of user object. (This can be changed to suit your environment)
(In the example below, the MFAAdmin base DN is MFAAdmin_Delegate_Demo. There are two ous below, A and B. Each ou has one MFA administrator, A_Admin and B_Admin. They should only be able to manage users within their own ou.)
Modify authentication pipe
1. Log in to the configuration UI, go to the "Advanced" tab and open the Modules section.
2. Find the mfaadmin module.
3. Find the auth_redirect_url parameter.
4. Copy the authentication alias (the value after /authenticate/
5. Open the HTTP - Authentication section
6. Search for the alias value fetched in previous step
7. Copy the pipeID value
8. Open the Pipes section and search for the pipeID copied in previous step
9. Append this value to the valve_refs parameter:
,Valve_SessionLoad,Valve_SessionAddOU,Valve_SessionSave
10. Click Stage Changes and Commit Changes
11. Click on the pen to the right of Pipe Valves
12. Add these valves:
{
"name": "SessionLoadValve",
"id":"Valve_SessionLoad",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "SessionPropertyAddValve",
"id":"Valve_SessionAddOU",
"config": {
"name": "OU",
"value": "{{item.adminDescription}}"
}
},
{
"name": "SessionPersistValve",
"id":"Valve_SessionSave",
"config": {
}
}
13. Click Stage changes
14. Click Commit changes
15. Open Pipe Valves. Verify that the new valves have been added.
16. Open a new browser window and open https://<phenix_server>/mfaadmin
17. Login and verify that the ou value has been added to the session (view the server.log file).
Modify the MFAAdmin Search pipe
1. Open Configuration Manager
2. Go to the advanced tab
3. Open Guide Configurations
4. Locate the Guide for MFAAdmin (search for "MFA Admin")
5. Copy the search_pipe_ref value.
6. Open Pipes
7. Find the search_pipe_ref value fetched from previous step
8. Insert "Valve_SessionLoad," in the valve_refs parameter
9. Click Stage changes and Commit changes
10. Copy the value of the last valve reference
11. Open Pipe valves
12. Search for the valve ref copied in previous step
13. Modify the filter_template parameter. Add (adminDescription={{session.OU}}) to the value.
14. Click Stage changes and Commit changes.
TEST
1. Login to MFA Admin with user A_admin1
2. Perform a wild card search (username=*)
3. Make sure only users from ou=A are displayed
4. Perform step 1-3 for user B_admin.