Tech Tip – How to configure Impersonation?

Impersonation

 

Problem Summary

Impersonation does not require users to disclose passwords for one user to impersonate another. In this article we will discuss in detail how to configure impersonation in CA Single Sign-On r12.5x.

Impersonation provides a method for a privileged user to:

  • Assume the role of another user without ending the session of the privileged user.
  • Temporarily assume the identity of another user.
Configuration Overview

This section discusses the overall configuration process to configure Impersonation feature in CA Single Sign-On r12.5x

1. SiteMinder Policy Configuration.

a. Create Impersonation Authentication Scheme

b. Create Impersonator Domain with two realms:

Realm 1  : impersonator

Authentication Scheme : HTML (Or any other authentication scheme)

Protects : /impersonator/

Rule 1 : GetPost-Impersonator

Resource = *

Action = Get, POST

Realm 3  : startImpersonation

Authentication Scheme : Impersonation

Protects : /startimpersonation/

Rule 1 : GetPost-startImpersonation

Resource = *

Action = Get, POST

Rule 2 : ImpersonateStart

Resource = *

Action = ImpersonateStart

Rule 3 : ImpersonateStartUser

Resource = *

Action = ImpersonateStartUser

Realm 3  : impersonatee

Authentication Scheme : HTML (Or any other authentication scheme)

Protects : /impersonatee/

Rule 1 : GetPost-Impersonatee

Resource = *

Action = Get, POST

Rule 2 : ImpersonateStart

Resource = *

Action = ImpersonateStart

Rule 3 : ImpersonateStartUser

Resource = *

Action = ImpersonateStartUser

c. Create Policies for Impersonation:

Policy 1 : Impersonators

Users  : Help-Desk

Rule 1  : GetPost-Impersonator from impersonator realm

Rule 2 : ImpersonateStart from impersonatee realm

Rule 3 : ImpersonateStart from startImpersonation realm

Policy 2 : StartImpersonation

Users : Customers

Rule 1 : GetPost-startImpersonation from startImpersonation realm

Rule 2 : ImpersonateStartUser from startImpersonation realm

Policy 3 : Impersonatees

Users : Customers

Rule 1 : GetPost-Impersonatee from impersonatee realm

Rule 2 : ImpersonateStartUser from impersonatee realm

 

d. Protect startimp.fcc by setting the OverrideIgnoreExtFilter ACO parameter to startimp.fcc as below :

OverrideIgnoreExtFilter=/impersonator/startimp.fcc

e. Disable FCCOMPATMode by setting FCCCompatMode ACO parameter to No :

FCCCompatMode = No

2.   Create files required for Impersonation

      1. Create FCC file to start Impersonation – startimp.fcc

Place this file under /impersonator/ directory

      1. Create FCC file to end Impersonation – endimp.fcc

Place this file under /impersonatee/ directory

Testing
  1. Access /impersonator/index.asp and login with Help Desk Administrator (Impersonator) Credential.
  2. Click link – “Start Impersonation”. This opens Url : /impersonator/startimp.fcc
  3. Impersonator is now prompted to enter the user ID of the person to be impersonated (impersonatee). Enter the Impersonatee User ID and click button – “Impersonate”
  4. Impersonation now completes and the impersonator is redirected to the success.asp page from startimpersonation realm as impersonatee user.
  5. From here on, the impersonator can access resource from impersonatee realm by clicking button
  6. To end impersonation, click link -” End Impersonation”. This will open Url : /impersonatee/endimp.fcc.
  7. Impersonation now ends and the user is redirected to the target configured in endimp.fcc which is /impersonator/index.asp.
Screenshots – Configuration

Fig 0 : Impersonation Authentication Scheme

2016-02-28_19-52-22.jpg

 

Fig 1 : Impersonation Domain

2016-02-28_19-47-28.jpg

Fig 2 : Realms

Fig 3 : Impersonator Realm

Fig 4 : GetPost-Impersonator Rule

2016-02-28_19-49-23.jpg

Fig 5 : Impersonatee Realm

Fig 6 : GetPost-Impersonatee Rule

2016-02-28_19-49-53.jpg

Fig 7 : ImpersonationStartUser Rule

2016-02-28_19-50-08.jpg

Fig 8 : ImpersonationStart Rule

2016-02-28_19-50-23.jpg

Fig 9 : startImpersonation Realm

Fig 10 : GetPost-startImpersonation Realm

Fig 11 : ImpersonateStart -startImpersonation Realm

Fig 12 : ImpersonateStartUser -startImpersonation Realm

Fig 13 : Impersonators Policy–>Users

2016-02-28_19-50-53.jpg

Fig 14 : Impersonators Policy –> Rules

Fig 15 : Impersonatees Policy –> Users

2016-02-28_19-51-45.jpg

Fig 16 : Impersonatees Policy –> Rules

Fig 17 : StartImpersonation Policy –> Users

Fig 18 : StartImpersonation Policy –> Rules

Fig 19 : ACO : OverrideIgnoreExtFilter

2016-02-28_19-52-56.jpg

Fig 20: ACO : FCCCompatMode

2016-02-28_19-53-11.jpg

Fig 21: Impersonatee Directory structure

2016-02-28_19-55-38.jpg

Fig 22: Impersonator Directory structure

2016-02-28_19-56-39.jpg

Fig 23: startImpersonation Directory structure

 

Fig 24: FCC to start Impersonation -startimp.fcc

Fig 24: FCC to end impersonation – endimp.fcc

2016-02-28_19-57-44.jpg

Screenshots – Testing

 

Fig 0: Access Impersonator resource and login as Impersonator

Fig 1: Click link – Start Impersonation

2016-02-28_22-04-00.jpg

Fig 2: Provide User Id of the Impersonatee and click button – Impersonate

2016-02-28_22-04-24.jpg

Fig 3 : Impersonation completes successfully and redirects to impersonatee resource /startimpersonation/success.asp which is protected by impersonation authentication scheme. Click link –Browse Impersonatee Realm to browse other impersonatee resources which are not protected by Impersonation authentication scheme (e.g protected by Basic/HTML or Custom Authentication scheme)

Fig 5: Impersonation completes and redirects to imeprsonatee resource /impersonatee/index.asp. Click link -End Impersonation to end Impersonation

2016-02-28_22-04-39.jpg

Fig 6: Impersonation ends and redirects back to the Impersonator resource /impersonator/index.asp

2016-02-28_22-05-03.jpg

Attachments:
  • All the sample files – Impersonation
  • Fiddler from Impersonation Testing
References

Impersonation – CA Single Sign-On – 12.52 SP1 – CA Technologies Documentation

Leave a Reply