Layer 7 Access Management

Tech Tip - CA Single Sign-On:Policy Server: How to configure Impersonation? 

02-28-2016 04:17 AM

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Feb 28, 2016

 

Problem Summary

 

Impersonation provides a method for a privileged user to:

  • Assume the role of another user without ending the session of the privileged user.
  • Temporarily assume the identity of another user.

Impersonation does not require users to disclose passwords for one user to impersonate another.

 

In this article we will discuss in detail how to configure impersonation in CA Single Sign-On r12.5x.

 

Configuration Overview

 

This section discusses the overall configuration process to configure Impersonation feature in CA Single Sign-On r12.5x

1. SiteMinder Policy Configuration.

a. Create Impersonation Authentication Scheme

b. Create Impersonator Domain with two realms:

     Realm 1  : impersonator

                              Authentication Scheme : HTML (Or any other authentication scheme)

                              Protects : /impersonator/

                              Rule 1 : GetPost-Impersonator

                                          Resource = *

                                          Action = Get, POST

     Realm 3  : startImpersonation

                              Authentication Scheme : Impersonation

                              Protects : /startimpersonation/

                              Rule 1 : GetPost-startImpersonation

                                          Resource = *

                                          Action = Get, POST

                              Rule 2 : ImpersonateStart

                                          Resource = *

                                          Action = ImpersonateStart

                              Rule 3 : ImpersonateStartUser

                                          Resource = *

                                          Action = ImpersonateStartUser

     Realm 3  : impersonatee

                              Authentication Scheme : HTML (Or any other authentication scheme)

                              Protects : /impersonatee/

                              Rule 1 : GetPost-Impersonatee

                                          Resource = *

                                          Action = Get, POST

                              Rule 2 : ImpersonateStart

                                          Resource = *

                                          Action = ImpersonateStart

                              Rule 3 : ImpersonateStartUser

                                          Resource = *

                                          Action = ImpersonateStartUser

c. Create Policies for Impersonation:

     Policy 1 : Impersonators

                              Users  : Help-Desk

                        Rule 1  : GetPost-Impersonator from impersonator realm

Rule 2 : ImpersonateStart from impersonatee realm

Rule 3 : ImpersonateStart from startImpersonation realm

     Policy 2 : StartImpersonation

                              Users : Customers

                        Rule 1 : GetPost-startImpersonation from startImpersonation realm

Rule 2 : ImpersonateStartUser from startImpersonation realm

     Policy 3 : Impersonatees

                        Users : Customers

                        Rule 1 : GetPost-Impersonatee from impersonatee realm

Rule 2 : ImpersonateStartUser from impersonatee realm

 

d. Protect startimp.fcc by setting the OverrideIgnoreExtFilter ACO parameter to startimp.fcc as below :

    OverrideIgnoreExtFilter=/impersonator/startimp.fcc

e. Disable FCCOMPATMode by setting FCCCompatMode ACO parameter to No :

    FCCCompatMode = No  

2.   Create files required for Impersonation

      1. Create FCC file to start Impersonation - startimp.fcc

                  Place this file under /impersonator/ directory

      1. Create FCC file to end Impersonation - endimp.fcc

                  Place this file under /impersonatee/ directory

 

Testing

 

  1. Access /impersonator/index.asp and login with Help Desk Administrator (Impersonator) Credential.
  2. Click link - "Start Impersonation". This opens Url : /impersonator/startimp.fcc
  3. Impersonator is now prompted to enter the user ID of the person to be impersonated (impersonatee). Enter the Impersonatee User ID and click button - "Impersonate"
  4. Impersonation now completes and the impersonator is redirected to the success.asp page from startimpersonation realm as impersonatee user.
  5. From here on, the impersonator can access resource from impersonatee realm by clicking button
  6. To end impersonation, click link -" End Impersonation". This will open Url : /impersonatee/endimp.fcc.
  7. Impersonation now ends and the user is redirected to the target configured in endimp.fcc which is /impersonator/index.asp.

 

Screenshots - Configuration

 

Fig 0 : Impersonation Authentication Scheme

2016-02-28_19-52-22.jpg

 

Fig 1 : Impersonation Domain

2016-02-28_19-47-28.jpg

Fig 2 : Realms

Fig 3 : Impersonator Realm

Fig 4 : GetPost-Impersonator Rule

2016-02-28_19-49-23.jpg

Fig 5 : Impersonatee Realm

Fig 6 : GetPost-Impersonatee Rule

2016-02-28_19-49-53.jpg

Fig 7 : ImpersonationStartUser Rule

2016-02-28_19-50-08.jpg

Fig 8 : ImpersonationStart Rule

2016-02-28_19-50-23.jpg

Fig 9 : startImpersonation Realm

Fig 10 : GetPost-startImpersonation Realm

Fig 11 : ImpersonateStart -startImpersonation Realm

Fig 12 : ImpersonateStartUser -startImpersonation Realm

Fig 13 : Impersonators Policy-->Users

2016-02-28_19-50-53.jpg

Fig 14 : Impersonators Policy --> Rules

Fig 15 : Impersonatees Policy --> Users

2016-02-28_19-51-45.jpg

Fig 16 : Impersonatees Policy --> Rules

Fig 17 : StartImpersonation Policy --> Users

Fig 18 : StartImpersonation Policy --> Rules

Fig 19 : ACO : OverrideIgnoreExtFilter

2016-02-28_19-52-56.jpg

Fig 20: ACO : FCCCompatMode

2016-02-28_19-53-11.jpg

Fig 21: Impersonatee Directory structure

2016-02-28_19-55-38.jpg

Fig 22: Impersonator Directory structure

2016-02-28_19-56-39.jpg

Fig 23: startImpersonation Directory structure

 

Fig 24: FCC to start Impersonation -startimp.fcc

Fig 24: FCC to end impersonation - endimp.fcc

2016-02-28_19-57-44.jpg

Screenshots - Testing

 

Fig 0: Access Impersonator resource and login as Impersonator

Fig 1: Click link - Start Impersonation

2016-02-28_22-04-00.jpg

Fig 2: Provide User Id of the Impersonatee and click button - Impersonate

2016-02-28_22-04-24.jpg

Fig 3 : Impersonation completes successfully and redirects to impersonatee resource /startimpersonation/success.asp which is protected by impersonation authentication scheme. Click link -Browse Impersonatee Realm to browse other impersonatee resources which are not protected by Impersonation authentication scheme (e.g protected by Basic/HTML or Custom Authentication scheme)

Fig 5: Impersonation completes and redirects to imeprsonatee resource /impersonatee/index.asp. Click link -End Impersonation to end Impersonation

2016-02-28_22-04-39.jpg

Fig 6: Impersonation ends and redirects back to the Impersonator resource /impersonator/index.asp

2016-02-28_22-05-03.jpg

 

Attachments:

  • All the sample files
  • Fiddler from Impersonation Testing

 

References

Impersonation - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

Statistics
0 Favorited
4 Views
2 Files
0 Shares
1 Downloads
Attachment(s)
zip file
Impersonation.zip   3K   1 version
Uploaded - 05-29-2019
zip file
ImpersonationTesting.saz.zip   42K   1 version
Uploaded - 05-29-2019

Tags and Keywords

Comments

03-09-2018 05:54 PM

how to implement the authenticate schema so that I only allow one impersonator can only impersonate some of inpersonatee.

So example: we have lots of clients, each client has an administrator account, I want the client's administrator can only impersonate the

end users belong to the client?

Thanks 

01-02-2017 05:35 PM

08-22-2016 03:53 AM

Revision 2 : 22/8/2016

 

In a practical use case, customer wants the impersonatee realm to be protected by ANY authentication scheme other than the Impersonation auth scheme.

So revised the doc, to address this use case.

To fulfill this use case, an intermediate realm has to be added which I call "startImpersonation" realm. ONLY this realm from where the customer wants to begin the impersonation needs to protected by Impersonation auth scheme. All other impersonatee realm can be protected by ANY other authentication scheme.

08-22-2016 03:49 AM

Hi Anirudh Tanyyala,

Sorry for the  much delayed response on this one.

Yes, you are right. The impersonatee getpost rule can be removed from Impersonators policy.

I have updated the techdoc, please refer to above for the same.

 

Regards,

Ujwol Shrestha

Ujwol's Single Sign-On Blog

02-29-2016 10:35 AM

Hi Ujwol,

 

Thanks for the detailed explanation. I have a doubt here as per the screenshots you have added the impersonatee getpost rule to both impersonator and impersonate policy. The impersonate getpost rule need to be removed from impersonator policy. Please let me know if this is the correct understanding.

 

Thanks,

Anirudh.

Related Entries and Links

No Related Resource entered.