How to set up impersonation within same domain?

Document ID : KB000053637
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Step by step description on how to set up impersonation.

Solution:

Configuring and Testing Impersonation on Siteminder version 6

Objective: Configuring Customer service representatives (CSRs) to impersonate customer. Impersonator access customer application to verify impersonation process is success.

Impersonator : The privileged user that has the ability to impersonate the identities of other users.

Impersonatee : The user whose identity can be impersonated by a privileged user.

Two folders impersonators and impersonatee located in your web server holding impersonation web resource.

Both Impersonator and Impersonatee in same Domain
Procedures:

  1. Create Impersonators realm with 1 rule.

    1. Impersonators Realm

      1. Resource Filter: /impersonators/

      2. Authentication Scheme: Basic

      3. Rule 1: Access Rule for Impersonation Admin

        1. Resource: *

        2. Action: Get/Post

  2. Create Impersonatee realm with 3 rules.

    1. Impersonatee Realm

      1. Resource Filter: /impersonatee/

      2. Authentication Scheme: Impersonation

      3. Rule 1: Access Rule to Impersonatee Resource

        1. Resource: *

        2. Action: Get

      4. Rule 2: Impersonate Start

        1. Resource: *

        2. Action: ImpersonateStart

      5. Rule 3: Impersonate Start User

        1. Resource: *

        2. Action: ImpersonateStartUser

  3. Create 2 rules at realm(s) that you want impersonator to access. If you didn't set these 2 rules, impersonator will get SMAUTHREASON = 46 when she try to access the realm.

    Ex:

    1. Rule 1: Impersonate Start HTML

      1. Resource: *

      2. Action: ImpersonateStart

    2. Rule 2: Allow Impersonatee HTML

      1. Resource: *

      2. Action: ImpersonateStartUser

  4. Create 4 policies for impersonator and impersonatee.

    1. Policy 1: Impersonation Admin Policy

      1. Users: impersonator

      2. Rule 1: Access Rule for Impersonation Admin (Impersonators realm)

    2. Policy 2: Impersonator and Impersonatee Resource

      1. Users: impersonator and impersonatee

      2. Rule 1: Impersonate Start HTML

      3. Rule 2: Allow Impersonatee HTML

      4. Rule 3: Access Rule to Impersonatee Resource (Impersonatee realm)

    3. Policy 3: Impersonate Start

      1. Users: impersonator

      2. Rule 1: Impersonate Start (Impersonatee realm)

    4. Policy 4: Impersonate Start User

      1. Users: impersonatee

      2. Rule 1: Impersonate Start User (Impersonatee realm)
  5. Testing

    1. Login with impersonator id and password.

    2. Go to http://<FQDN>/impersonators/startimp.fcc

    3. Enter impersonatee user id.

    4. Test the application as the customer.

startimp.fcc

<!--  SiteMinder Encoding=ISO-8859-1; -->
 @username=%USER%
 @smheaders=SM_SERVERSESSIONSPEC
 @password=%SM_SERVERSESSIONSPEC%
 @smpushsession=true
 @smretries=0
 @smerrorpage=/impersonators/imperror.html
<html>
<head><title>Sample  Impersonation Form</title><head>
 <script  type="text/javascript">
 function load()
 {
 document.cookie  = "SMSAVEDSESSION=; path=/; domain=idp.dev; expires=Thu, 01-Jan-70  00:00:01 GMT";
}
 </script>
<body  onload="load()">
<h3>  Please enter your Impersonation Information</h3>
<form  method=post>
                 <table>
                        <tr>
                        <td>User  Name:</td>
                        <td><input  type=text name=USER></td>
                        </tr>
                        <input  type=hidden name=target value="/impersonatee/index.asp">
                        <INPUT  TYPE=HIDDEN NAME="AGENTNAME" VALUE="producer.idp.dev">
                        <tr>
                        <td>
                        <input  type=submit>
                        </td>
                       </tr>
                 </table>
 </form>
</body>
</html>

** Please note there is a java script function in startimp.fcc. This function will automatically run when startimp.fcc is being load. The reason to add in this function is to prevent Impersonation Session Initiation gives Error (session already pushed) second time onwards in same browser window where original session times out. The function will ensure SMSAVEDSESSION get deleted after session timeout.

The target value of startimp.fcc is redirect to "/impersonatee/index.asp". This is customer application sample page. If you don't have any sample page to test, following is the sample jsp file that may help you to test for the impersonation.

headers.jsp

<html>
                 <head>
                         <title>  Impersonation Page </title>
                 </head>
                 <body>
                         <%@ page  import="java.util.*" %>
                 <hr>
                 <A HREF="/impersonators/startimp.fcc"
                                 title="Click  Here to Impersonate a User">Impersonate a User</a>
                 <br>
                 <A HREF="/impersonators/endimp.fcc"
                                 title="Click  Here to End an Impersonated Session">End Impersonation</a>
                 <hr>
                 <%
                 String strUser =  "sm_user";
                 String strUserDN =  "sm_userdn";
                 String strImpDirName =  "sm_userimpersonatordirname";
                 String strDomino =  "SM_DOMINOCN";
                 String strimpName =  "sm_userimpersonatorname";
                 String strsmauthdirname =  "SM_AUTHDIRNAME";
                 String strValue = "";
                 Enumeration headerNames =  request.getHeaderNames();
                 while(headerNames.hasMoreElements())
                 {
                 boolean bBold = false;
                 String headerName =  (String)headerNames.nextElement();
                 if(headerName.equals(strUser) ||  headerName.equals(strUserDN)||
                 headerName.equals(strImpDirName)||  headerName.equals(strDomino))
                 {
                 
                 bBold = true;
                 }
                 bBold=true;
                 if(bBold){
                 out.print("<b>");
                 out.print(headerName);
                 out.print(" = ");
                 out.println(request.getHeader(headerName)  + "<BR>");
                 out.print("</b>");
                 }
                 }
                 out.println("<BR><BR>"  + "Cookies" + "<BR>");
                 Cookie [] cookies =  request.getCookies();
                 for (int i = 0;i <  cookies.length;i++){
                 out.print(cookies[i].getName());
                 out.print(" = ");
                 out.println(cookies[i].getValue()  + "<BR>");
                 }
                 %>
                 </body>
 </html>

Lastly, user can end the impersonation by having a button redirect to endimp.fcc. Following is sample of endimp.fcc.

endimp.fcc

 <!--  SiteMinder Encoding=ISO-8859-1; -->
 @smpopsession=true
 @target=/impersonators/index.asp
 @smredirect=/impersonators/index.asp
Ā