Hi Aditi,
The impersonation flow is not going to be different for your "test application" and "real time " application.
From the SiteMinder perspective both are same.
Now, coming to your questions , please find my response inline :
Q1. An impersonator logs into the Admin URL(protected by siteminder). Then clicks on target URL and enters the impersonatee ID. Now, after providing the impersonatee ID, the new SMSESSION is created for the impersonatee.
[Ujwol] Correct, and additionally the impersonator session is saved in SMSAVEDSESSION cookie.
Q2. Now, if he will access any real time application(like IDM portal or SAP Portal), and the impersonatee ID is having access to these portals. Will the impersonator able to access those applications as the impersonatee since SMSESSION is created only for the impersonatee?
[Ujwol] No, the impersonator can NOT access any resource accessible to the impersonatee. He can access ONLY those resource/realm which has been configured for impersonation.
The details of impersonations configuration required on this realm can be refereed in :
Tech Tip - CA Single Sign-On:Policy Server: How to configure Impersonation?
In the above doc, assume that "Realm 3: Impersonatee" realm is the realm for your real time application (IDM Portal or SAP Portal)
Q3. Will the session timeout for impersonatee SMSESSION dependent on impersonator SMSAVEDSESSION cookie?
[Ujwol] No, it is not dependent on SMSAVEDSESSION cookie. The session idle/max time out is governed by the realm (startimpersonation) from where the impersonation begins as that is where the "AuthAccept" event triggers for impersonatee user. However, if you browse other impersonatee realm and you want to enforce the time out of the realm you are visiting then you can refer to this :
Enforce Timeouts across Multiple Realms - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
AuthAccept PS-01 [15/Nov/2016:10:52:21 +1100] "UNKNOWN cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonator/index.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0] [] []
AzAccept PS-01 [15/Nov/2016:10:52:21 +1100] "UNKNOWN cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonator/index.asp" [239b0220000063f50000000063f5239b-04ec-582a4e56-0a9c-027b0099] [0] [] []
AzAccept PS-01 [15/Nov/2016:10:52:58 +1100] "UNKNOWN cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonator/startimp.fcc" [239b0220000063f50000000063f5239b-04ec-582a4e7b-0a9c-00e90124] [0] [] []
AzAccept PS-01 [15/Nov/2016:10:53:04 +1100] "UNKNOWN cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab" "agent_iis_01 POST /impersonator/startimp.fcc" [239b0220000063f50000000063f5239b-04ec-582a4e81-0a9c-02563b25] [0] [] []
AuthAccept PS-01 [15/Nov/2016:10:53:04 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /startimpersonation/success.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]
AzAccept PS-01 [15/Nov/2016:10:53:04 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /startimpersonation/success.asp" [239b0220000063f50000000063f5239b-04ec-582a4e81-0a9c-02754b40] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]
ValidateAccept PS-01 [15/Nov/2016:10:53:10 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonatee/index.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]
AzAccept PS-01 [15/Nov/2016:10:53:10 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonatee/index.asp" [239b0220000063f50000000063f5239b-04ec-582a4e86-0a9c-03665878] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]
AzAccept PS-01 [15/Nov/2016:10:55:38 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonatee/index.asp?1=1" [239b0220000063f50000000063f5239b-04ec-582a4f1b-0a9c-00664230] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]
Q4. Also, the audit logs for these real applications specify the ID of impersonator as well as impersonatee like it will do for the Admin URL?
[Ujwol] As I said earlier , there is no differentiation for test app or real app. They both are same to SiteMinder. So , as you can see above , when impersonator impersonates realm, both impersonatee and impersonator ID will be logged in the audit log.
AuthAccept PS-01 [15/Nov/2016:10:53:04 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /startimpersonation/success.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]
Regards,
Ujwol Shrestha
Ujwol's Single Sign-On Blog