Impersonation

Purpose: This article provides a guide to using Impersonation which allows an API user to access the Orion API on behalf of another user.

Simple Use Case: An Administrator wants to log into Orion Connect as a specific Advisor to review reports created by this user.

Scope and Outputs: You will be able to review the information for the appropriate entity level user as they see it, however, you will not be provided the users login information to login directly.  

Process Overview:

1. Use or Create an API user. 
2. Authenticate to Orion with API credentials (REST API).
3. Impersonate a specific Entity and get an API token for their level.
4. Use that token in the appropriate Portal URL.

Process Steps:

1. Use an existing API level account or create a new one. This is an Advisor level user set to the user role called “API/Integration Role”. Your user Admin will need to create this if you do not have one, using the following steps
   • Locate and launch Manage Users app
   • Select Advisor level on left
   • Actions>New User
   • Create User ID (Recommend Firm_integration name or Firm_API for example)
   • Select Role – API/Integration
   • Save (show temporary password)
   • Use Temp password and log in to Orion Connect (login.orionadvisor.com) to create permanent password. You cannot log into Orion Connect with an API user but you can update the password from the login screen.

2. Authenticate to Orion with API credentials (REST API):

Code:[GET]
 https://api.orionadvisor.com/api/v1/security/token
[HEADER]
 Authorization: Basic {uid: pwd} – base64 encoded
 Client ID:
 Client Secret:

[GET]
 https://api.orionadvisor.com/api/v1/security/token
[HEADERS]
 Authorization: Impersonate {service level auth_token}
 Client ID:
 Client Secret:
 Entity: 4
 EntityId: {Rep ID}

For the Response you will get an API auth token

3. Next you will want to Impersonate a specific Entity and get an API token at their level

Code: The below is an example of Impersonation of a Representative. You can also impersonate a Client by using Entity:5 and EntityId: {client id}

[GET]
 https://api.orionadvisor.com/api/v1/security/token
[HEADERS]
 Authorization: Impersonate {service level auth_token}
 Client ID:
 Client Secret:
 Entity: 4
 EntityId: {Rep ID}

4. Now you use that token in the appropriate Portal URL

• Client Portal
  • https://portal.orionadvisor.com/sso.html?t={auth_token}&p={optionally pass a target page}
• Advisor Portal (Element
  • https://www.orionelement.com/web/#/login?oas_token={repToken}
• Legacy Rep Portal (Insight)
  • https://rep.orionadvisor.com/sso.html?t={repToken}

Process Tips or Controls:

1.For Client impersonation you can enable “just in time” creation so that clients that do not already have a user will have one created during the authentication process. However, since this solution anticipates that this will then be the only way this user accesses the platform, the username created is randomly generated.

2. If the impersonation for a Rep ID that is not the default Rep ID, you will want to include the Header “LoginName” as seen below.

 Authorization: Impersonate {service level auth_token}
 Client ID:
 Client Secret:
 Entity: 4
 EntityId: {Rep ID}
LoginName: