Layer7 Access Management

Expand all | Collapse all

Impersonation for CA Single Sign-On

Jump to Best Answer
  • 1.  Impersonation for CA Single Sign-On

    Posted 04-06-2018 01:52 PM

    I wanted to initiate a conversation about some link I was reading - Section: Impersonation for CA Single Sign-On For R12.7 on Windows 2012 R2 x64.  I thought as of R12.0 Impersonation was inbuilt on PS and then GPS built a custom solution with enhanced logging and additional support for certain features (separately licenced)? 


    I have to admit that I havn't done a complete comparison between the two but this module is available for as latest as R12.7 and it does seem like CA Product doesn't want to make it as part of a standard offering? 


    Some of these seems quite basic in terms of a Comprehensive product - compared to other competitors in this space. 


    How should I read this as? What am I missing - may be there are other experts who can correct my position. 

  • 2.  Re: Impersonation for CA Single Sign-On

    Posted 04-06-2018 05:46 PM

    The CA Services Global Delivery (GD) group wrote an impersonation solution first. Later an impersonation feature was implemented within the CA SSO (SiteMinder) product. The two different impersonation solutions are totally separate code bases and although they both implement similar functionality, they don't have exactly the same feature set and are configured differently. Since the GD solution costs extra, the preferred approach for customers is to use the impersonation feature built-into CA SSO. However there are some use cases the built-in product does not handle, the principal one being where a user has one master account, which is the only account that contains authentication credentials, and then one or more secondary accounts that are linked to the master account and which the user needs to be able to switch between without entering credentials.

  • 3.  Re: Impersonation for CA Single Sign-On

    Posted 04-06-2018 05:53 PM

    Thanks Rich; 


    So does the CA Product team believe that the feature part of the GD solution not be part of the core product offering? Even with the latest version 12.7? 


    I see that the the GD feature has been out there for a while now - why is there double standards?

  • 4.  Re: Impersonation for CA Single Sign-On
    Best Answer

    Posted 04-09-2018 10:38 AM

    As I mentioned above, the GD Impersonation PWP preceded the built-in solution. The GD team is restricted to using the same public APIs as are available to the public, except for a couple of exceptions, and are not allowed to change core SiteMinder code. When the SiteMinder engineering team created their version of Impersonation, which was meant to be a replacement for the GD solution, they could and did modify the internal code of the SiteMinder Policy Server and Web Agent to create the internal impersonation feature. Since they could modify internal code they chose a different mechanism for configuring impersonation, using new rule types created just for impersonation, the ImpersonateStart and ImpersonateStartUser impersonation rules. As a side affect of the different implementation approach for providing the same basic "Help Desk" impersonation it turned out that the internal solution is better suited to some use cases, and the GD solution is still the only way to solve other use cases. I mentioned one use case above where the GD Impersonation is required. The other two use cases are when a customer needs to allow an impersonation session interact with a ASA agent (agent embedded in an application sever) or if it is required that the impersonation session be allowed to federate out to another site.


    I uploaded a doc that I wrote a while back that compares the features available in the two solutions. Search for Impersonation on this website and you should see the PDF named "Built-in vs GD PWP for Impersonation".



  • 5.  Re: Impersonation for CA Single Sign-On

    Posted 04-09-2018 10:39 AM

    Here is the link to the comparison document I mentioned above:



  • 6.  Re: Impersonation for CA Single Sign-On

    Posted 04-09-2018 11:10 AM

    Hi Rich, Thanks again!


    I see the differences between what CA Product did vs what GD did - I am sure there are more core differences too which I will not comment. 


    But here is the question though: 

    Why did CA product team not consider things such as these as core enhancements to the OOTB implementation of the CA SSO Product - even as of R12.7; What is the rationale? Do they see these to be not features to be supported OOTB (I understand there could be differences in the implementation); Why should a customer pay a fee for things that are supposed to be OOTB but not for various reasons? Anyway if this is still not in the roadmap to be added in the OOTB - I think CA should make the GD implementation free. 


       - Allowing Federation via Impersonation (If Federation is part of the core solution; why would impersonation ignore this?)

       - Allowing multiple linked accounts and associations based on groups membership (This kind of seems a basic requirement)

       - Enforcing security levels for impersonation (Again seems to be a basic requirement; when Siteminder enforces security levels; there should have been a feature to enforce or disable the enforcement; with default being disable which is what it is today)

       - Allowing Impersonation on Locked accounts (ignoring the password policy) - [ this seems like a basic need; we have struggled on this front and had to do some dance around this; but again if a CSR is impersonating then why would I enforce the password policy?]


    The other things as Header response to application seems to be there in the OOTB solution. 



  • 7.  Re: Impersonation for CA Single Sign-On

    Posted 04-09-2018 11:20 AM

    To get answers to your latest questions, you would have to direct them to Herbert Mehlhorn ( the product manager for CA SSO. I can't answer these questions.



  • 8.  Re: Impersonation for CA Single Sign-On

    Posted 04-09-2018 11:24 AM

    Sure Rich; I was just posing the question in general; I hear you.


    I hope Herbert is looking and will comment on this.