Layer 7 Access Management

Expand all | Collapse all

Implementing Impersonation

Jump to Best Answer
  • 1.  Implementing Impersonation

    Posted 11-10-2016 12:52 PM

    How to implement impersonation for a real-time application like CA Identity Minder Portal or SAP Netweaver Portal integrated with SiteMinder?

    I have achieved impersonation for a test application hosted on apache by following this tech tip Tech Tip - CA Single Sign-On:Policy Server: How to configure Impersonation? 



  • 2.  Re: Implementing Impersonation

    Posted 11-10-2016 04:07 PM

    Impersonation is performed by the Webagent - if you were to use the smsession created in your first step can it access the IDM and SAP server access ?

     

    The agent code needs to perform the SMSESSION create and SMSAVEDSESSION -IDM or SAP agent not able to do this function

     

    Request Flow:

    1)Impersonator logs into Admin URL which is protected by Siteminder. Siteminder creates a SMSESSION for the Impersonator.

    2)Impersonator clicks on the Target URL which initiates Impersonation Journey since the Target URL is protected by Impersonation Authentication Scheme. ImpersonationAuthentication Scheme prompts for Impersonatee’s user name

    3)Impersonator lands to the Target URL  as a Impersonatee. Siteminder creates a SMSESSION for Impersonatee and saves the Impersonators session as SMSAVEDSESSION

    4)Now Impersonator assumes the identity of Impersonatee and access the End User Application.



  • 3.  Re: Implementing Impersonation

    Posted 11-12-2016 12:57 PM

    Hello Stephen,

     

    Yes, the SMSESSION created in the first step can access IDM and SAP server.

    As per the request flow explained above, please confirm if the below understanding is right and help with the underlying queries:

    An impersonator logs into the Admin URL(protected by siteminder). Then clicks on target URL and enters the impersonatee ID. Now, after providing the impersonatee ID, the new SMSESSION is created for the impersonatee.

    Now, if he will access any real time application(like IDM portal or SAP Portal), and the impersonatee ID is having access to these portals. Will the impersonator able to access those applications as the impersonatee since SMSESSION is created only for the impersonatee?

     

    Will the session timeout for impersonatee SMSESSION dependent on impersonator SMSAVEDSESSION cookie?

     

    Also, the audit logs for these real applications specify the ID of impersonator as well as impersonatee like it will do for the Admin URL?

     

    Regards,

    Aditi



  • 4.  Re: Implementing Impersonation
    Best Answer

    Posted 11-14-2016 07:08 PM

    Hi Aditi,

     

    The impersonation flow is not going to be different for your "test application" and "real time " application.

    From the SiteMinder perspective both are same.

     

    Now, coming to your questions , please find my response inline :

     

    Q1. An impersonator logs into the Admin URL(protected by siteminder). Then clicks on target URL and enters the impersonatee ID. Now, after providing the impersonatee ID, the new SMSESSION is created for the impersonatee.

     

    [Ujwol] Correct, and additionally the impersonator session is saved in SMSAVEDSESSION cookie.

     

    Q2. Now, if he will access any real time application(like IDM portal or SAP Portal), and the impersonatee ID is having access to these portals. Will the impersonator able to access those applications as the impersonatee since SMSESSION is created only for the impersonatee?

     

    [Ujwol] No, the impersonator can NOT access any resource accessible to the impersonatee.  He can access ONLY those resource/realm which has been configured for impersonation.

    The details of impersonations configuration required on this realm can be refereed in :

    Tech Tip - CA Single Sign-On:Policy Server: How to configure Impersonation? 

    In the above doc, assume that "Realm 3: Impersonatee" realm is the realm for your real time application (IDM Portal or SAP Portal)

     

    Q3. Will the session timeout for impersonatee SMSESSION dependent on impersonator SMSAVEDSESSION cookie?

    [Ujwol] No, it is not dependent on SMSAVEDSESSION cookie. The session idle/max time out is governed by the realm (startimpersonation)  from where the impersonation begins as that is where the "AuthAccept" event triggers for impersonatee user. However, if you browse other impersonatee realm and you want to enforce the time out of the realm you are visiting then you can refer to this :

    Enforce Timeouts across Multiple Realms - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    AuthAccept PS-01 [15/Nov/2016:10:52:21 +1100] "UNKNOWN cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonator/index.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0] [] []

     

    AzAccept PS-01 [15/Nov/2016:10:52:21 +1100] "UNKNOWN cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonator/index.asp" [239b0220000063f50000000063f5239b-04ec-582a4e56-0a9c-027b0099] [0] [] []

     

    AzAccept PS-01 [15/Nov/2016:10:52:58 +1100] "UNKNOWN cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonator/startimp.fcc" [239b0220000063f50000000063f5239b-04ec-582a4e7b-0a9c-00e90124] [0] [] []

     

    AzAccept PS-01 [15/Nov/2016:10:53:04 +1100] "UNKNOWN cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab" "agent_iis_01 POST /impersonator/startimp.fcc" [239b0220000063f50000000063f5239b-04ec-582a4e81-0a9c-02563b25] [0] [] []

     

    AuthAccept PS-01 [15/Nov/2016:10:53:04 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /startimpersonation/success.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]

     

    AzAccept PS-01 [15/Nov/2016:10:53:04 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /startimpersonation/success.asp" [239b0220000063f50000000063f5239b-04ec-582a4e81-0a9c-02754b40] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]

     

    ValidateAccept PS-01 [15/Nov/2016:10:53:10 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonatee/index.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]

     

    AzAccept PS-01 [15/Nov/2016:10:53:10 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonatee/index.asp" [239b0220000063f50000000063f5239b-04ec-582a4e86-0a9c-03665878] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]

     

    AzAccept PS-01 [15/Nov/2016:10:55:38 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /impersonatee/index.asp?1=1" [239b0220000063f50000000063f5239b-04ec-582a4f1b-0a9c-00664230] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]

     

    Q4. Also, the audit logs for these real applications specify the ID of impersonator as well as impersonatee like it will do for the Admin URL?

    [Ujwol] As I said earlier , there is no differentiation for test app or real app. They both are same to SiteMinder. So , as you can see above , when impersonator impersonates realm, both impersonatee and impersonator ID will be logged in the audit log.

     

    AuthAccept PS-01 [15/Nov/2016:10:53:04 +1100] "UNKNOWN cn=impersonatee,ou=Customer,ou=People,dc=support,dc=lab" "agent_iis_01 GET /startimpersonation/success.asp" [idletime=3600;maxtime=7200;authlevel=5;] [0] [cn=impersonator,ou=HelpDesk,ou=People,dc=support,dc=lab] [CADir-01]

     

    Regards,

    Ujwol Shrestha

    Ujwol's Single Sign-On Blog 



  • 5.  Re: Implementing Impersonation

    Posted 11-14-2016 11:24 PM

    Hello Ujwol,

     

    I will try to use "Realm 3: Impersonatee" realm as the realm for my real time application (IDM Portal or SAP Portal) and will confirm.

    Also, please confirm if I have 5 business applications to have impersonation implemented on them, can I use the same impersonation domain with multiple "impersonatee" realms pointing to each of the business application?

     

    Regards,

    Aditi



  • 6.  Re: Implementing Impersonation

    Posted 11-14-2016 11:33 PM

    Yes that should be fine.



  • 7.  Re: Implementing Impersonation

    Posted 12-13-2016 12:16 PM

    Hello Ujwol,

     

    I tried making the 3rd relam as the real application realm(IM), but since that realm is already protected by a different agent. I am facing issues in protecting it again.

    Will it be fine if I create impersonatee rules in the domain of IM instead of the impersonation domain?

    Impersonation working fine for the test page and if I provide the link of IM in that success page.

    Then, the impersonator is getting logged-in instead of the impersonatee in the IM.

     

    Please suggest.

     

    Regards,

    Aditi