NAME

       dacs_select_credentials - temporarily disable DACS credentials

SYNOPSIS

       dacs_select_credentials [dacsoptions[1]]

DESCRIPTION

       This program is part of the DACS suite.

       A user may concurrently possess more than one set of DACS credentials during a session, with each
       representing a different identity. Zero or more credentials may be submitted with a request for a
       DACS-wrapped web service. It is sometimes desirable or necessary for a user to switch between identities,
       or to be considered unauthenticated. Middleware (software situated between a user agent and a
       DACS-capable web server) and more sophisticated user agents might provide this functionality simply by
       sending some DACS HTTP cookies and not sending others, under user control. With standard browsers or in
       other situations where this functionality is not available, achieving this by repeatedly authenticating
       and signing off (or by manually deleting cookies) would be inconvenient at best.

       The dacs_select_credentials web service can be used to temporarily disable credentials, leaving the
       remaining credentials selected for access control purposes. The user agent continues to send all DACS
       HTTP cookies as usual, but dacs_acs(8)[2] will ignore disabled identities before deciding to grant or
       deny access. This feature can be used to work around the maximum number of identities that DACS allows to
       be associated with a request - determined by the ACS_CREDENTIALS_LIMIT[3] directive - or for
       administrative, testing, or other reasons. There are similarities between dacs_select_credentials and
       su(1)[4].

       A selected identity is handled normally, but a disabled identity is "hidden"; it is not considered for
       access control purposes and is not reported by dacs_current_credentials(8)[5]. A disabled identity may be
       re-enabled by dacs_select_credentials, however, and dacs_signout(8)[6] will work with disabled
       identities. All identities are considered for the purposes of revoking access, however, and in other
       situations described below.

       The selected credentials are identified by a cryptographically protected cookie that is issued by
       dacs_select_credentials. The HTTP cookie name has the following format:

           DACS:Federation-Name::::SELECTED

       where Federation-Name is the official name assigned to the federation for which the cookie is valid (see
       COOKIE_NAME_TERMINATORS[7]). This cookie confers no identity or access control rights to its possessor.
       If this cookie is deleted, or just not sent with a request, all credentials accompanying the request are
       used for access control. If dacs_signout(8)[6] asks the browser to delete all credentials (i.e., no more
       credentials exist that dacs_signout is aware of), it will also ask the browser to delete the selected
       credentials cookie.

       The FORMAT argument (see dacs(1)[8]) determines the type of output, with the default being HTML, using
       the style sheet dacs_select_credentials.css[9]. If XML output is selected, a document conforming to
       dacs_select_credentials.dtd[10] is returned. The JSON format (RFC 7159[11]) is also recognized.

OPTIONS

   Web Service Arguments
       dacs_select_credentials accepts the following arguments in addition to the standard CGI arguments[12].

       OPERATION
           This parameter is required and must be one of (case-insensitively):

           SELECT
               This operation replaces the current set of selected credentials, if any, with the set that match
               the DACS_USERNAME and DACS_JURISDICTION arguments. It is an error if no credentials match the
               arguments.

           DESELECT
               This operation disables the specified enabled credentials. If no credentials remain selected, the
               user is effectively unauthenticated as if by the SELECT_UNAUTH operation. Non-matching arguments
               are ignored.

           ADD
               The ADD operation adds the specified disabled credentials to the set of enabled credentials.

           LIST
               This operation lists the selection status.

           CLEAR
               This operation results in no selection, with all credentials available again.

           SELECT_UNAUTH
               This operation makes the user effectively unauthenticated; all credentials are disabled.

           DESELECT_UNAUTH
               This operation reverses SELECT_UNAUTH, resulting in there being no selection and all credentials
               are again available. It is an error if the user is not effectively unauthenticated when the
               operation is invoked.

       DACS_USERNAME
           This argument specifies a username to match against existing credentials for the SELECT, DESELECT,
           and ADD operations. Exact string matching is used. If this argument is absent, all usernames will be
           selected.

       DACS_JURISDICTION
           This argument specifies a jurisdiction name to match against existing credentials for the SELECT,
           DESELECT, and ADD operations. Exact string matching is used. If this argument is absent, all
           jurisdictions will be selected.

       COOKIE_SYNTAX
           This parameter has the same semantics as with the dacs_authenticate(8)[13] service.

           Tip

           The dacs_authenticate(8)[14] web service takes an optional argument, OPERATION, that can have the
           value SELECT. If authentication succeeds and this argument is present, the resulting credentials are
           selected as described above.

FILES

       dacs_select_credentials.css[9]

DIAGNOSTICS

       The program exits 0 if everything was fine, 1 if an error occurred.

BUGS

       It might be useful to be able to temporarily suppress one or more specific roles of a given identity.

SEE ALSO

       dacs_authenticate(8)[14], dacs_signout(8)[6]

AUTHOR

       Distributed Systems Software (www.dss.ca[15])

COPYING

       Copyright2003-2014 Distributed Systems Software. See the LICENSE[16] file that accompanies the
       distribution for licensing information.

NOTES

        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. dacs_acs(8)
           http://dacs.dss.ca/man/dacs_acs.8.html

        3. ACS_CREDENTIALS_LIMIT
           http://dacs.dss.ca/man/dacs.conf.5.html#ACS_CREDENTIALS_LIMIT

        4. su(1)
           http://www.freebsd.org/cgi/man.cgi?query=su&apropos=0&sektion=1&manpath=FreeBSD+10.1-RELEASE&format=html

        5. dacs_current_credentials(8)
           http://dacs.dss.ca/man/dacs_current_credentials.8.html

        6. dacs_signout(8)
           http://dacs.dss.ca/man/dacs_signout.8.html

        7. COOKIE_NAME_TERMINATORS
           http://dacs.dss.ca/man/dacs.conf.5.html#COOKIE_NAME_TERMINATORS

        8. dacs(1)
           http://dacs.dss.ca/man/dacs.1.html

        9. dacs_select_credentials.css
           http://dacs.dss.ca/man//css/dacs_select_credentials.css

       10. dacs_select_credentials.dtd
           http://dacs.dss.ca/man/../dtd-xsd/dacs_select_credentials.dtd

       11. RFC 7159
           https://tools.ietf.org/html/rfc7159

       12. standard CGI arguments
           http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

       13. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html#COOKIE_SYNTAX

       14. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html

       15. www.dss.ca
           http://www.dss.ca

       16. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE

DACS 1.4.38a                                       02/05/2018                            DACS_SELECT_CREDENTI(8)