I have a query in the following scenario.
1.Agent User logs into a Siteminder protected application.
2. SM authenticates the user and sets the SMSESSION cookie by cookie provider.
3. Agent has the access and hence the user is authorized to access the application.
4. For some transaction Agent needs authorization from his superior(assume that the agent is accessing higher auth level and prompted for login) and here the expected flow is the superior enter his credentials and allow the agent to complete the transaction. In this scenario, existing SMSession will be updated.
5. Having the updated session the agent can access other SSO application. Expectation is the superiors session should expire after some time limits 10 mins and agents session should continue.
What we are checking here is, do we have any way to manage both agent's and superior's session. Assume two different smsession for agent and superior. Can Session store be used here? Is there any other way.
We have R12.52 Sp2 PS Version.
Have you considered Impersonation ?
Agent user can impersonate Superior user session and can later exit the superior session and return back to it's own agent user session.
Tech Tip - CA Single Sign-On:Policy Server: How to configure Impersonation?
Thanks Ujwol for quick help.
I had this in mind but here the agent logs in first and he wanted the i.e. superior or manager in his system to enter the login for manager authorization. Manager has to prove the authentication in SM by entering his valid credentials.
I understand the SMSESSION PUSH/POP is happens in impersonation but not sure if this helps in our scenario.
In my scenario --> Here the first loggedin user is normal user who seeks approval from privileged user.
I think, in impersonation privileged user login first and share the control with normal user.
Correct me if this is incorrect.. Also kindly share your thought is we have any other options.
Your understanding is correct. For impersonation, the privileged user need to login first , this is the user who has privilege to impersonate other users.
Unfortunately, apart from impersonation, I am not aware of any other use case, where SiteMinder supports maintaining multiple user sessions. There is only ONE SMSESSION cookie at any time.
So what you are trying to achieve might not be possible OOTB.
Thanks Ujwol. Is there any way, we can use SESSION STORE in this approach? Not sure we can use it but just interested to understand if any supported feature.
Unfortunately no, session store can not fulfill this use case.