How to configure Impersonation?

Document ID : KB000009918
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Impersonation provides a method for a privileged user to:

  • Assume the role of another user without ending the session of the privileged user.
  • Temporarily assume the identity of another user.

Impersonation does not require users to disclose passwords for one user to impersonate another.

 

In this article we will discuss in detail how to configure impersonation in CA Single Sign-On r12.5x.

Instructions:

Configuration Overview

 

This section discusses the overall configuration process to configure Impersonation feature in CA Single Sign-On r12.5x

1. SiteMinder Policy Configuration.

a. Create Impersonation Authentication Scheme

b. Create Impersonator Domain with two realms:

     Realm 1  : impersonator

                              Authentication Scheme : HTML (Or any other authentication scheme)

                              Protects : /impersonator/

                              Rule 1 : GetPost-Impersonator

                                          Resource = *

                                          Action = Get, POST

     Realm 3  : startImpersonation

                              Authentication Scheme : Impersonation

                              Protects : /startimpersonation/

                              Rule 1 : GetPost-startImpersonation

                                          Resource = *

                                          Action = Get, POST

                              Rule 2 : ImpersonateStart

                                          Resource = *

                                          Action = ImpersonateStart

                              Rule 3 : ImpersonateStartUser

                                          Resource = *

                                          Action = ImpersonateStartUser

     Realm 3  : impersonatee

                              Authentication Scheme : HTML (Or any other authentication scheme)

                              Protects : /impersonatee/

                              Rule 1 : GetPost-Impersonatee

                                          Resource = *

                                          Action = Get, POST

                              Rule 2 : ImpersonateStart

                                          Resource = *

                                          Action = ImpersonateStart

                              Rule 3 : ImpersonateStartUser

                                          Resource = *

                                          Action = ImpersonateStartUser

c. Create Policies for Impersonation:

     Policy 1 : Impersonators

                              Users  : Help-Desk

                        Rule 1  : GetPost-Impersonator from impersonator realm

Rule 2 : ImpersonateStart from impersonatee realm

Rule 3 : ImpersonateStart from startImpersonation realm

     Policy 2 : StartImpersonation

                              Users : Customers

                        Rule 1 : GetPost-startImpersonation from startImpersonation realm

Rule 2 : ImpersonateStartUser from startImpersonation realm

     Policy 3 : Impersonatees

                        Users : Customers

                        Rule 1 : GetPost-Impersonatee from impersonatee realm

Rule 2 : ImpersonateStartUser from impersonatee realm

 

d. Protect startimp.fcc by setting the OverrideIgnoreExtFilter ACO parameter to startimp.fcc as below :

    OverrideIgnoreExtFilter=/impersonator/startimp.fcc

e. Disable FCCOMPATMode by setting FCCCompatMode ACO parameter to No :

    FCCCompatMode = No  

2.   Create files required for Impersonation

    1. Create FCC file to start Impersonation - startimp.fcc

                  Place this file under /impersonator/ directory

    1. Create FCC file to end Impersonation - endimp.fcc

                  Place this file under /impersonatee/ directory

 

Screenshots - Configuration

 

Fig 0 : Impersonation Authentication Scheme

2016-02-28_19-52-22.jpg

 

Fig 1 : Impersonation Domain

2016-02-28_19-47-28.jpg

Fig 2 : Realms

Fig 3 : Impersonator Realm

Fig 4 : GetPost-Impersonator Rule

2016-02-28_19-49-23.jpg

Fig 5 : Impersonatee Realm

Fig 6 : GetPost-Impersonatee Rule

2016-02-28_19-49-53.jpg

Fig 7 : ImpersonationStartUser Rule

2016-02-28_19-50-08.jpg

Fig 8 : ImpersonationStart Rule

2016-02-28_19-50-23.jpg

Fig 9 : startImpersonation Realm

Fig 10 : GetPost-startImpersonation Realm

Fig 11 : ImpersonateStart -startImpersonation Realm

Fig 12 : ImpersonateStartUser -startImpersonation Realm

Fig 13 : Impersonators Policy-->Users

2016-02-28_19-50-53.jpg

Fig 14 : Impersonators Policy --> Rules

Fig 15 : Impersonatees Policy --> Users

2016-02-28_19-51-45.jpg

Fig 16 : Impersonatees Policy --> Rules

Fig 17 : StartImpersonation Policy --> Users

Fig 18 : StartImpersonation Policy --> Rules

Fig 19 : ACO : OverrideIgnoreExtFilter

2016-02-28_19-52-56.jpg

Fig 20: ACO : FCCCompatMode

2016-02-28_19-53-11.jpg

Fig 21: Impersonatee Directory structure

2016-02-28_19-55-38.jpg

Fig 22: Impersonator Directory structure

2016-02-28_19-56-39.jpg

Fig 23: startImpersonation Directory structure

 

Fig 24: FCC to start Impersonation -startimp.fcc

Fig 24: FCC to end impersonation - endimp.fcc

 

2016-02-28_19-57-44.jpg

 

 

Testing

 

  1. Access /impersonator/index.asp and login with Help Desk Administrator (Impersonator) Credential.
  2. Click link - "Start Impersonation". This opens Url : /impersonator/startimp.fcc
  3. Impersonator is now prompted to enter the user ID of the person to be impersonated (impersonatee). Enter the Impersonatee User ID and click button - "Impersonate"
  4. Impersonation now completes and the impersonator is redirected to the success.asp page from startimpersonation realm as impersonatee user.
  5. From here on, the impersonator can access resource from impersonatee realm by clicking button
  6. To end impersonation, click link -" End Impersonation". This will open Url : /impersonatee/endimp.fcc.
  7. Impersonation now ends and the user is redirected to the target configured in endimp.fcc which is /impersonator/index.asp.

Screenshots - Testing

 

Fig 0: Access Impersonator resource and login as Impersonator

Fig 1: Click link - Start Impersonation

2016-02-28_22-04-00.jpg

Fig 2: Provide User Id of the Impersonatee and click button - Impersonate

2016-02-28_22-04-24.jpg

Fig 3 : Impersonation completes successfully and redirects to impersonatee resource /startimpersonation/success.asp which is protected by impersonation authentication scheme. Click link -Browse Impersonatee Realm to browse other impersonatee resources which are not protected by Impersonation authentication scheme (e.g protected by Basic/HTML or Custom Authentication scheme)

Fig 5: Impersonation completes and redirects to imeprsonatee resource /impersonatee/index.asp. Click link -End Impersonation to end Impersonation

2016-02-28_22-04-39.jpg

Fig 6: Impersonation ends and redirects back to the Impersonator resource /impersonator/index.asp

2016-02-28_22-05-03.jpg

 

Attachments:

 

Additional Information:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/impersonation

File Attachments:
TEC1055358.zip