WIP - ContextSwitching (#1783)

6 years ago · b69ffc0ff8
parent a2ebaf31b1
commit b69ffc0ff8
37 changed files with 217 additions and 118 deletions
--- a/lemonldap-ng-common/lemonldap-ng.ini
+++ b/lemonldap-ng-common/lemonldap-ng.ini
@ -326,6 +326,8 @@ status = 0
 ;hideSignature = 1
 ; Set ServiceToken timeout
 ;handlerServiceTokenTTL = 30
+; Set Impersonation/ContextSwitching prefix
+; impersonationPrefix = real_
 useRedirectOnError = 1

 ; Zimbra Handler parameters
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
@ -5,7 +5,7 @@ use strict;
 use Exporter 'import';
 use base qw(Exporter);

-our $VERSION = '2.0.5';
+our $VERSION = '2.0.6';

 # CONSTANTS

@ -24,7 +24,7 @@ use constant MANAGERSECTION  => "manager";
 use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
 use constant APPLYSECTION            => "apply";
 our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
-our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|orsEnabled|da)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;
+our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;

 our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
@ -1,16 +1,15 @@
 # This file is generated by Lemonldap::NG::Manager::Build. Don't modify it by hand
 package Lemonldap::NG::Common::Conf::DefaultValues;

-our $VERSION = '2.0.5';
+our $VERSION = '2.0.6';

 sub defaultValues {
    return {
-        'activeTimer'            => 1,
-        'adminImpersonationRule' => 1,
-        'ADPwdExpireWarning'     => 0,
-        'ADPwdMaxAge'            => 0,
-        'apacheAuthnLevel'       => 4,
-        'applicationList'        => {
+        'activeTimer'        => 1,
+        'ADPwdExpireWarning' => 0,
+        'ADPwdMaxAge'        => 0,
+        'apacheAuthnLevel'   => 4,
+        'applicationList'    => {
            'default' => {
                'catname' => 'Default category',
                'type'    => 'category'
@ -19,38 +18,42 @@ sub defaultValues {
        'authChoiceParam' => 'lmAuth',
        'authentication'  => 'Demo',
        'available2F'     => 'UTOTP,TOTP,U2F,REST,Mail2F,Ext2F,Yubikey',
-        'available2FSelfRegistration'   => 'TOTP,U2F,Yubikey',
-        'bruteForceProtectionMaxAge'    => 300,
-        'bruteForceProtectionMaxFailed' => 3,
-        'bruteForceProtectionTempo'     => 30,
-        'captcha_mail_enabled'          => 1,
-        'captcha_register_enabled'      => 1,
-        'captcha_size'                  => 6,
-        'casAccessControlPolicy'        => 'none',
-        'casAuthnLevel'                 => 1,
-        'checkTime'                     => 600,
-        'checkUserHiddenAttributes'     => '_loginHistory hGroups',
-        'checkUserIdRule'               => 1,
-        'checkXSS'                      => 1,
-        'confirmFormMethod'             => 'post',
-        'cookieName'                    => 'lemonldap',
-        'corsAllow_Credentials'         => 'true',
-        'corsAllow_Headers'             => '*',
-        'corsAllow_Methods'             => 'POST,GET',
-        'corsAllow_Origin'              => '*',
-        'corsEnabled'                   => 1,
-        'corsExpose_Headers'            => '*',
-        'corsMax_Age'                   => '86400',
-        'cspConnect'                    => '\'self\'',
-        'cspDefault'                    => '\'self\'',
-        'cspFont'                       => '\'self\'',
-        'cspFormAction'                 => '\'self\'',
-        'cspImg'                        => '\'self\' data:',
-        'cspScript'                     => '\'self\'',
-        'cspStyle'                      => '\'self\'',
-        'dbiAuthnLevel'                 => 2,
-        'dbiExportedVars'               => {},
-        'demoExportedVars'              => {
+        'available2FSelfRegistration'      => 'TOTP,U2F,Yubikey',
+        'bruteForceProtectionMaxAge'       => 300,
+        'bruteForceProtectionMaxFailed'    => 3,
+        'bruteForceProtectionTempo'        => 30,
+        'captcha_mail_enabled'             => 1,
+        'captcha_register_enabled'         => 1,
+        'captcha_size'                     => 6,
+        'casAccessControlPolicy'           => 'none',
+        'casAuthnLevel'                    => 1,
+        'checkTime'                        => 600,
+        'checkUserHiddenAttributes'        => '_loginHistory hGroups',
+        'checkUserIdRule'                  => 1,
+        'checkXSS'                         => 1,
+        'confirmFormMethod'                => 'post',
+        'contextSwitchingHiddenAttributes' => '',
+        'contextSwitchingIdRule'           => 1,
+        'contextSwitchingRule'             => 0,
+        'contextSwitchingStopWithLogout'   => 1,
+        'cookieName'                       => 'lemonldap',
+        'corsAllow_Credentials'            => 'true',
+        'corsAllow_Headers'                => '*',
+        'corsAllow_Methods'                => 'POST,GET',
+        'corsAllow_Origin'                 => '*',
+        'corsEnabled'                      => 1,
+        'corsExpose_Headers'               => '*',
+        'corsMax_Age'                      => '86400',
+        'cspConnect'                       => '\'self\'',
+        'cspDefault'                       => '\'self\'',
+        'cspFont'                          => '\'self\'',
+        'cspFormAction'                    => '\'self\'',
+        'cspImg'                           => '\'self\' data:',
+        'cspScript'                        => '\'self\'',
+        'cspStyle'                         => '\'self\'',
+        'dbiAuthnLevel'                    => 2,
+        'dbiExportedVars'                  => {},
+        'demoExportedVars'                 => {
            'cn'   => 'cn',
            'mail' => 'mail',
            'uid'  => 'uid'
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
@ -5,7 +5,7 @@ use strict;
 use Exporter 'import';
 use base qw(Exporter);

-our $VERSION = '2.0.5';
+our $VERSION = '2.0.6';

 our %EXPORT_TAGS = ( 'all' => [qw($simpleHashKeys $doubleHashKeys $specialNodeKeys $casAppMetaDataNodeKeys $casSrvMetaDataNodeKeys $oidcOPMetaDataNodeKeys $oidcRPMetaDataNodeKeys $samlIDPMetaDataNodeKeys $samlSPMetaDataNodeKeys $virtualHostKeys $specialNodeHash $authParameters $issuerParameters $samlServiceParameters $oidcServiceParameters $casServiceParameters)] );
 our @EXPORT_OK   = ( @{ $EXPORT_TAGS{'all'} } );
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -1,7 +1,7 @@
 # This file is generated by Lemonldap::NG::Manager::Build. Don't modify it by hand
 package Lemonldap::NG::Manager::Attributes;

-our $VERSION = '2.0.5';
+our $VERSION = '2.0.6';

 sub perlExpr {
    my ( $val, $conf ) = @_;
@ -257,10 +257,6 @@ sub attributes {
            'default' => 1,
            'type'    => 'bool'
        },
-        'adminImpersonationRule' => {
-            'default' => 1,
-            'type'    => 'boolOrExpr'
-        },
        'ADPwdExpireWarning' => {
            'default' => 0,
            'type'    => 'int'
@ -927,6 +923,25 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
            ],
            'type' => 'select'
        },
+        'contextSwitchingHiddenAttributes' => {
+            'default' => '',
+            'type'    => 'text'
+        },
+        'contextSwitchingIdRule' => {
+            'default' => 1,
+            'test'    => sub {
+                return perlExpr(@_);
+            },
+            'type' => 'text'
+        },
+        'contextSwitchingRule' => {
+            'default' => 0,
+            'type'    => 'boolOrExpr'
+        },
+        'contextSwitchingStopWithLogout' => {
+            'default' => 1,
+            'type'    => 'bool'
+        },
        'cookieExpiration' => {
            'type' => 'int'
        },
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -6,7 +6,7 @@

 package Lemonldap::NG::Manager::Build::Attributes;

-our $VERSION = '2.0.5';
+our $VERSION = '2.0.6';
 use strict;
 use Regexp::Common qw/URI/;

@ -486,10 +486,27 @@ sub attributes {
            documentation => 'Skip session empty values',
            flags         => 'p',
        },
-        adminImpersonationRule => {
+        contextSwitchingRule => {
            type          => 'boolOrExpr',
+            default       => 0,
+            documentation => 'Context switching activation rule',
+        },
+        contextSwitchingIdRule => {
+            type          => 'text',
+            test          => sub { return perlExpr(@_) },
+            default       => 1,
+            documentation => 'Context switching identities rule',
+        },
+        contextSwitchingStopWithLogout => {
+            type          => 'bool',
            default       => 1,
-            documentation => 'adminImpersonation activation rule',
+            documentation => 'Stop context switching by logout',
+        },
+        contextSwitchingHiddenAttributes => {
+            type          => 'text',
+            default       => '',
+            documentation => 'Attributes to skip',
+            flags         => 'p',
        },
        skipRenewConfirmation => {
            type    => 'bool',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -17,7 +17,7 @@

 package Lemonldap::NG::Manager::Build::Tree;

-our $VERSION = '2.0.3';
+our $VERSION = '2.0.6';

 # TODO: Missing:
 #  * activeTimer
@ -657,12 +657,22 @@ sub tree {
                            nodes => [
                                'impersonationRule',
                                'impersonationIdRule',
-                                'impersonationPrefix',
                                'impersonationHiddenAttributes',
                                'impersonationSkipEmptyValues',
                                'impersonationMergeSSOgroups',
                            ]
                        },
+                        {
+                            title => 'contextSwitching',
+                            help  => 'contextswitching.html',
+                            form  => 'simpleInputContainer',
+                            nodes => [
+                                'contextSwitchingRule',
+                                'contextSwitchingIdRule',
+                                'contextSwitchingStopWithLogout',
+                                'contextSwitchingHiddenAttributes',
+                            ]
+                        },
                    ]
                },
                {
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@ -140,6 +140,11 @@
 "categoryName":"اسم الفئة",
 "cda":"نطاقات متعددة",
 "contentSecurityPolicy":"السياسة الأمنية للمحتوى",
+"contextSwitching":"Switch context anoter user",
+"contextSwitchingHiddenAttributes":"Stop by logout",
+"contextSwitchingIdRule":"Identities use rule",
+"contextSwitchingRule":"استخدام القاعدة",
+"contextSwitchingStopWithLogout":"Identities use rule",
 "cspDefault":"القيمة الاعتيادية ",
 "cspFormAction":"Form destinations",
 "cspImg":"مصدر الصورة",
@ -303,7 +308,6 @@
 "impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"السمات المخفية",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
-"impersonationPrefix":"Real attributes prefix",
 "impersonationSkipEmptyValues":"Skip empty values",
 "incompleteForm":"الحقول المطلوبة مفقودة",
 "index":"فهرس",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json
@ -140,6 +140,11 @@
 "categoryName":"Category name",
 "cda":"Mehrere Domains",
 "contentSecurityPolicy":"Content security policy",
+"contextSwitching":"Switch context anoter user",
+"contextSwitchingHiddenAttributes":"Hidden attributes",
+"contextSwitchingIdRule":"Identities use rule",
+"contextSwitchingRule":"Use rule",
+"contextSwitchingStopWithLogout":"Stop by logout",
 "cspDefault":"Default value",
 "cspFormAction":"Form destinations",
 "cspImg":"Image source",
@ -303,7 +308,6 @@
 "impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
-"impersonationPrefix":"Real attributes prefix",
 "impersonationSkipEmptyValues":"Skip empty values",
 "incompleteForm":"Required fields are missing",
 "index":"Index",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -140,6 +140,11 @@
 "categoryName":"Category name",
 "cda":"Multiple domains",
 "contentSecurityPolicy":"Content security policy",
+"contextSwitching":"Switch context anoter user",
+"contextSwitchingHiddenAttributes":"Hidden attributes",
+"contextSwitchingIdRule":"Identities use rule",
+"contextSwitchingRule":"Use rule",
+"contextSwitchingStopWithLogout":"Stop by logout",
 "cspDefault":"Default value",
 "cspFormAction":"Form destinations",
 "cspImg":"Image source",
@ -303,7 +308,6 @@
 "impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
-"impersonationPrefix":"Real attributes prefix",
 "impersonationSkipEmptyValues":"Skip empty values",
 "incompleteForm":"Required fields are missing",
 "index":"Index",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -140,6 +140,11 @@
 "categoryName":"Nom de la catégorie",
 "cda":"Domaines multiples",
 "contentSecurityPolicy":"Politique de sécurité de contenu",
+"contextSwitching":"Endossement d'identités",
+"contextSwitchingHiddenAttributes":"Attributs masqués",
+"contextSwitchingIdRule":"Règle d'utilisation des identités",
+"contextSwitchingRule":"Règle d'utilisation",
+"contextSwitchingStopWithLogout":"Arrêt par déconnexion",
 "cspDefault":"Valeur par défaut",
 "cspFormAction":"Destinations des formulaires",
 "cspImg":"Sources des images",
@ -303,7 +308,6 @@
 "impersonationIdRule":"Règle d'utilisation des identités",
 "impersonationHiddenAttributes":"Attributs masqués",
 "impersonationMergeSSOgroups":"Fusionner les groupes SSO réels et usurpés",
-"impersonationPrefix":"Préfix des vrais attributs",
 "impersonationSkipEmptyValues":"Ignorer les valeurs nulles",
 "incompleteForm":"Des champs requis manquent",
 "index":"Index",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@ -140,6 +140,11 @@
 "categoryName":"Nome della categoria",
 "cda":"Domini multipli",
 "contentSecurityPolicy":"Politica di protezione dei contenuti",
+"contextSwitching":"Switch context anoter user",
+"contextSwitchingHiddenAttributes":"Hidden attributes",
+"contextSwitchingIdRule":"Identities use rule",
+"contextSwitchingRule":"Use rule",
+"contextSwitchingStopWithLogout":"Stop by logout",
 "cspDefault":"Valore di default",
 "cspFormAction":"Formare le destinazioni",
 "cspImg":"Origine immagine",
@ -303,7 +308,6 @@
 "impersonationIdRule":"Le identità usano la regola",
 "impersonationHiddenAttributes":"Attributi nascosti",
 "impersonationMergeSSOgroups":"Unisci gruppi SSO usurpati e reali",
-"impersonationPrefix":"Prefisso degli attributi reali",
 "impersonationSkipEmptyValues":"Salta valori vuoti",
 "incompleteForm":"Mancano campi obbligatori",
 "index":"Indice",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@ -140,6 +140,11 @@
 "categoryName":"Tên thể loại",
 "cda":"Nhiều tên miền",
 "contentSecurityPolicy":"Chính sách bảo mật nội dung",
+"contextSwitching":"Switch context anoter user",
+"contextSwitchingHiddenAttributes":"Hidden attributes",
+"contextSwitchingIdRule":"Identities use rule",
+"contextSwitchingRule":"Use rule",
+"contextSwitchingStopWithLogout":"Stop by logout",
 "cspDefault":"Giá trị mặc định",
 "cspFormAction":"Form destinations",
 "cspImg":"Nguồn ảnh",
@ -303,7 +308,6 @@
 "impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Thuộc tính ẩn",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
-"impersonationPrefix":"Real attributes prefix",
 "impersonationSkipEmptyValues":"Skip empty values",
 "incompleteForm":"Các trường bắt buộc bị thiếu",
 "index":"Chỉ mục",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
@ -140,6 +140,11 @@
 "categoryName":"分类名称",
 "cda":"Multiple domains",
 "contentSecurityPolicy":"Content security policy",
+"contextSwitching":"Switch context anoter user",
+"contextSwitchingHiddenAttributes":"Hidden attributes",
+"contextSwitchingIdRule":"Identities use rule",
+"contextSwitchingRule":"Use rule",
+"contextSwitchingStopWithLogout":"Stop by logout",
 "cspDefault":"Default value",
 "cspFormAction":"Form destinations",
 "cspImg":"Image source",
@ -303,7 +308,6 @@
 "impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
-"impersonationPrefix":"Real attributes prefix",
 "impersonationSkipEmptyValues":"Skip empty values",
 "incompleteForm":"Required fields are missing",
 "index":"Index",
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json
--- a/lemonldap-ng-manager/t/80-attributes.t
+++ b/lemonldap-ng-manager/t/80-attributes.t
@ -55,7 +55,7 @@ my @notManagedAttributes = (
    'configStorage', 'status', 'localStorageOptions', 'localStorage',
    'max2FDevices',              'max2FDevicesNameLength', 'checkTime',
    'mySessionAuthorizedRWKeys', 'handlerInternalCache',
-    'handlerServiceTokenTTL'
+    'handlerServiceTokenTTL',    'impersonationPrefix'
 );

 # Words used either as attribute name and node title
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm
@ -114,15 +114,15 @@ sub params {
      $self->p->_sfEngine->display2fRegisters( $req, $req->userData );
    $self->logger->debug("Display 2fRegisters link") if $res{sfaManager};

-    # Display adminImpersonation link only if allowed
-    my $impPlugin = $self->p->loadedModules->{
-        'Lemonldap::NG::Portal::Plugins::AdminImpersonation'};
-    $res{adminImpersonation} =
-        $impPlugin
-      ? $impPlugin->displayAdminImpersonation( $req, $req->userData )
+    # Display ContextSwitching link only if allowed
+    my $cswPlugin = $self->p->loadedModules->{
+        'Lemonldap::NG::Portal::Plugins::ContextSwitching'};
+    $res{contextSwitching} =
+        $cswPlugin
+      ? $cswPlugin->displaySwitchContext( $req, $req->userData )
      : '';
-    $self->logger->debug("Display AdminImpersonation link")
-      if $res{adminImpersonation};
+    $self->logger->debug("Display SwitchContext link")
+      if $res{contextSwitching};

    return %res;
 }
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm
@ -27,7 +27,7 @@ our @pList = (
    portalForceAuthn           => '::Plugins::ForceAuthn',
    checkUser                  => '::Plugins::CheckUser',
    impersonationRule          => '::Plugins::Impersonation',
-    adminImpersonationRule     => '::Plugins::AdminImpersonation',
+    contextSwitchingRule       => '::Plugins::ContextSwitching',
 );

 ##@method list enabledPlugins
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdminImpersonation.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/AdminImpersonation.pm
@ -1,4 +1,4 @@
-package Lemonldap::NG::Portal::Plugins::AdminImpersonation;
+package Lemonldap::NG::Portal::Plugins::ContextSwitching;

 use strict;
 use Mouse;
@ -16,7 +16,7 @@ has rule   => ( is => 'rw', default => sub { 1 } );
 has idRule => ( is => 'rw', default => sub { 1 } );

 sub hAttr {
-    $_[0]->{conf}->{impersonationHiddenAttributes} . ' '
+    $_[0]->{conf}->{contextSwitchingHiddenAttributes} . ' '
      . $_[0]->{conf}->{hiddenAttributes};
 }

@ -34,29 +34,29 @@ has ott => (
 sub init {
    my ($self) = @_;
    my $hd = $self->p->HANDLER;
-    $self->addAuthRoute( impersonate => 'run',     ['POST'] );
-    $self->addAuthRoute( impersonate => 'display', ['GET'] );
+    $self->addAuthRoute( switchcontext => 'run',     ['POST'] );
+    $self->addAuthRoute( switchcontext => 'display', ['GET'] );

    # Parse activation rule
    $self->logger->debug(
-        'AdminImpersonation rule -> ' . $self->conf->{adminImpersonationRule} );
+        'ContextSwitching rule -> ' . $self->conf->{contextSwitchingRule} );
    my $rule =
-      $hd->buildSub( $hd->substitute( $self->conf->{adminImpersonationRule} ) );
+      $hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingRule} ) );
    unless ($rule) {
        $self->error(
-            'Bad adminImpersonation rule -> ' . $hd->tsv->{jail}->error );
+            'Bad contextSwitching rule -> ' . $hd->tsv->{jail}->error );
        return 0;
    }
    $self->rule($rule);

    # Parse identity rule
-    $self->logger->debug( "Impersonation identity rule -> "
-          . $self->conf->{impersonationIdRule} );
+    $self->logger->debug( "ContextSwitching identities rule -> "
+          . $self->conf->{contextSwitchingIdRule} );
    $rule =
-      $hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) );
+      $hd->buildSub( $hd->substitute( $self->conf->{contextSwitchingIdRule} ) );
    unless ($rule) {
        $self->error(
-            "Bad impersonation identity rule -> " . $hd->tsv->{jail}->error );
+            "Bad contextSwitching identities rule -> " . $hd->tsv->{jail}->error );
        return 0;
    }
    $self->idRule($rule);
@ -73,10 +73,10 @@ sub display {
        PORTAL    => $self->conf->{portal},
        MAIN_LOGO => $self->conf->{portalMainLogo},
        LANGS     => $self->conf->{showLanguages},
-        MSG       => 'impersonate',
+        MSG       => 'contextSwitching',
        ALERTE    => 'alert-danger',
        LOGIN     => '',
-        SPOOFID   => $self->conf->{adminImpersonationRule},
+        SPOOFID   => $self->conf->{contextSwitchingRule},
        TOKEN     => (
              $self->ottRule->( $req, {} )
            ? $self->ott->createToken()
@ -84,7 +84,7 @@ sub display {
        )
    };

-    return $self->p->sendHtml( $req, 'adminImpersonation', params => $params, );
+    return $self->p->sendHtml( $req, 'contextSwitching', params => $params, );
 }

 sub run {
@ -93,7 +93,7 @@ sub run {
    my $spoofId = $req->param('spoofId') || '';    # Impersonation required ?

    unless ($spoofId) {
-        $self->logger->debug("No impersonation required");
+        $self->logger->debug("No context switching required");
        $req->mustRedirect(1);
        return $self->p->do( $req, [ sub { PE_OK } ] );
    }
@ -101,7 +101,7 @@ sub run {
    unless ( $spoofId =~ /$self->{conf}->{userControl}/o ) {
        $self->userLogger->error('Malformed spoofed Id');
        $self->logger->debug(
-            "AdminImpersonation tried with spoofed Id: $spoofId");
+            "Context switching tried with spoofed Id: $spoofId");
        $spoofId = $req->{user};
        $statut  = PE_MALFORMEDUSER;
    }
@ -111,7 +111,7 @@ sub run {
        $self->logger->debug("Spoof Id: $spoofId");
        unless ( $self->rule->( $req, $req->sessionInfo ) ) {
            $self->userLogger->error(
-                'adminImpersonation service not authorized');
+                'Context switching service not authorized');
            $spoofId = '';
            $statut  = PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
        }
@ -122,9 +122,9 @@ sub run {
    $self->logger->debug("Rename real attributes...");
    my $spk = '';
    foreach my $k ( keys %{ $req->{userData} } ) {
-        if ( $self->{conf}->{impersonationSkipEmptyValues} ) {
-            next unless defined $req->{userData}->{$k};
-        }
+        # if ( $self->{conf}->{impersonationSkipEmptyValues} ) {
+        #     next unless defined $req->{userData}->{$k};
+        # }
        $spk = "$self->{conf}->{impersonationPrefix}$k";
        unless ( $self->hAttr =~ /\b$k\b/
            || $k =~ /^(?:_imp|token|_type)\w*\b/ )
@ -157,7 +157,7 @@ sub run {
    # Merging SSO Groups and hGroups & dedup
    $spoofSession->{groups}  ||= '';
    $spoofSession->{hGroups} ||= {};
-    if ( $self->{conf}->{impersonationMergeSSOgroups} ) {
+    #if ( $self->{conf}->{impersonationMergeSSOgroups} ) {
        $self->userLogger->warn("MERGING SSO groups and hGroups...");
        my $spg       = "$self->{conf}->{impersonationPrefix}groups";
        my $sphg      = "$self->{conf}->{impersonationPrefix}hGroups";
@ -171,20 +171,20 @@ sub run {
        $realSession->{$sphg} ||= {};

        # Merge specified groups/hGroups only
-        unless ( $self->{conf}->{impersonationMergeSSOgroups} eq 1 ) {
-            my %SSOgroups = map { $_, 1 } split /\Q$separator/,
-              $self->{conf}->{impersonationMergeSSOgroups};
-
-            $self->logger->debug("Filtering specified groups/hGroups...");
-            @realGrps = grep { exists $SSOgroups{$_} } @realGrps;
-            my %intersct =
-              map {
-                $realSession->{$sphg}->{$_}
-                  ? ( $_, $realSession->{$sphg}->{$_} )
-                  : ()
-              } keys %SSOgroups;
-            $realSession->{$sphg} = \%intersct;
-        }
+        # unless ( $self->{conf}->{impersonationMergeSSOgroups} eq 1 ) {
+        #     my %SSOgroups = map { $_, 1 } split /\Q$separator/,
+        #       $self->{conf}->{impersonationMergeSSOgroups};
+
+        #     $self->logger->debug("Filtering specified groups/hGroups...");
+        #     @realGrps = grep { exists $SSOgroups{$_} } @realGrps;
+        #     my %intersct =
+        #       map {
+        #         $realSession->{$sphg}->{$_}
+        #           ? ( $_, $realSession->{$sphg}->{$_} )
+        #           : ()
+        #       } keys %SSOgroups;
+        #     $realSession->{$sphg} = \%intersct;
+        # }

        $self->logger->debug("Processing groups...");
        @spoofGrps = ( @spoofGrps, @realGrps );
@ -194,7 +194,7 @@ sub run {
        $self->logger->debug("Processing hGroups...");
        $spoofSession->{hGroups} =
          { %{ $spoofSession->{hGroups} }, %{ $realSession->{$sphg} } };
-    }
+   # }

    # Main session
    $self->p->updateSession( $req, $spoofSession );
@ -262,10 +262,10 @@ sub _userData {
    return $req->{sessionInfo};
 }

-sub displayAdminImpersonation {
+sub displaySwitchContext {
    my ( $self, $req ) = @_;
-    return $self->rule->( $req, $req->userData )
-      || $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"};
+    return 2 if $req->userData->{"$self->{conf}->{impersonationPrefix}_session_id"};
+    return $self->rule->( $req, $req->userData );
 }

 1;
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
@ -37,13 +37,13 @@ sub init {
    $self->rule($rule);

    # Parse identity rule
-    $self->logger->debug( "Impersonation identity rule -> "
+    $self->logger->debug( "Impersonation identities rule -> "
          . $self->conf->{impersonationIdRule} );
    $rule =
      $hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) );
    unless ($rule) {
        $self->error(
-            "Bad impersonation identity rule -> " . $hd->tsv->{jail}->error );
+            "Bad impersonation identities rule -> " . $hd->tsv->{jail}->error );
        return 0;
    }
    $self->idRule($rule);
--- a/lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext1.png
+++ b/lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext1.png
--- a/lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext2.png
+++ b/lemonldap-ng-portal/site/htdocs/static/common/icons/switchcontext2.png
--- a/lemonldap-ng-portal/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/ar.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"انا متاكد",
 "info":"معلومات",
 "ipAddr":"عنوان الأي بي",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/de.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/de.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"ID",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"Ich bin sicher",
 "info":"Information",
 "ipAddr":"IP Adresse",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/en.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"I'm sure",
 "info":"Information",
 "ipAddr":"IP address",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/es.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/es.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"I'm sure",
 "info":"Information",
 "ipAddr":"IP address",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/fi.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/fi.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"Olen varma",
 "info":"Information",
 "ipAddr":"IP-osoite",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/fr.json
@ -143,6 +143,8 @@
 "groups_sso":"GROUPES SSO",
 "headers":"ENTETES",
 "id":"Id",
+"contextSwitching":"Endosser l'identité d'un autre utilisateur",
+"switchContext":"Changer de contexte",
 "imSure":"Je suis sûr",
 "info":"Information",
 "ipAddr":"Adresse IP",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/it.json
@ -143,6 +143,8 @@
 "groups_sso":"GRUPPI SSO",
 "headers":"INTESTAZIONI",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"Sono sicuro",
 "info":"Informazioni",
 "ipAddr":"Indirizzo IP",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/nl.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/nl.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"I'm sure",
 "info":"Information",
 "ipAddr":"IP address",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/pt.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/pt.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"I'm sure",
 "info":"Information",
 "ipAddr":"IP address",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/ro.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/ro.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"I'm sure",
 "info":"Information",
 "ipAddr":"IP address",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/vi.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"Tôi chắc chắn",
 "info":"Thông tin",
 "ipAddr":"Địa chỉ IP",
--- a/lemonldap-ng-portal/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-portal/site/htdocs/static/languages/zh.json
@ -143,6 +143,8 @@
 "groups_sso":"SSO GROUPS",
 "headers":"HEADERS",
 "id":"Id",
+"contextSwitching":"Impersonate another user",
+"switchContext":"Switch context",
 "imSure":"我确认",
 "info":"信息",
 "ipAddr":"IP 地址",
--- a/lemonldap-ng-portal/site/templates/bootstrap/adminImpersonation.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/adminImpersonation.tpl
@ -5,7 +5,7 @@
  <div class="message message-positive alert"><span trspan="<TMPL_VAR NAME="MSG">"></span></div>
 -->
  <div class="alert <TMPL_VAR NAME="ALERTE"> alert"><div class="text-center"><span trspan="<TMPL_VAR NAME="MSG">"></span></div></div>
-  <form id="adminImpersonation" action="/impersonate" method="post" class="password" role="form">
+  <form id="contextSwitching" action="/switchcontext" method="post" class="password" role="form">
    <div class="buttons">
      <TMPL_IF NAME="TOKEN">
      <input type="hidden" name="token" value="<TMPL_VAR NAME="TOKEN">" />
@ -15,7 +15,7 @@

      <button type="submit" class="btn btn-success">
        <span class="fa fa-random"></span>
-        <span trspan="impersonate">Impersonate</span>
+        <span trspan="switchContext">switchContext</span>
      </button>
    </div>
  </form>
--- a/lemonldap-ng-portal/site/templates/bootstrap/menu.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/menu.tpl
@ -67,10 +67,10 @@
                <span trspan="sfaManager">sfaManager</span>
              </a></li>
            </TMPL_IF>
-            <TMPL_IF NAME="adminImpersonation">
-              <li class="dropdown-item"><a href="/impersonate" class="nav-link">
-                <img src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/sfa_manager.png" width="16" height="16" alt="refresh" />
-                <span trspan="adminImpersonate">adminImpersonate</span>
+            <TMPL_IF NAME="contextSwitching">
+              <li class="dropdown-item"><a href="/switchcontext" class="nav-link">
+                <img src="<TMPL_VAR NAME="STATIC_PREFIX">common/icons/switchcontext1.png" width="16" height="16" alt="refresh" />
+                <span trspan="contextSwitching">contextSwitching</span>
              </a></li>
            </TMPL_IF>
            <li class="dropdown-item"><a href="/refresh" class="nav-link">