I have couple of queries related to impersonation:
a. what is suggested way to implement impersonation considering the security aspects of the application.
currently in my setup once the impersonator is finished with work he clicks on a link which ends his impersonation and the next page gives him an option to perform the impersonation again(basically i am redirecting back to the same page which impersonator accessed at first to start the impersonation). Is it the right way of implementing the impersonation to give the impersonator the option to perform the impersonation again or is it better to end the session for the impersonator.
b. In my setup once the impersonator performs login,he is provided with an option to enter the id of the user to impersonate .once impersonator enters the impersonate id and click on submit you have the session for impersonate which allows the impersonator to test the application and also gives the impersonator an option to access other applications which impersonate has access to. How to restrict this such that the impersonator can only access the particular application which can be impersonated and not the other applications.
c. Is it necessary to protect the page ex. endimp.fcc which is used for ending the impersonation.
a. I see no problem redirecting the impersonator back to the orginal page where he started the impersonation. He is authorized to that. If you do not allow that, it might be rather annoying ,as he has to log back in everytime he wants to impersonate a user. You can redirect him to LogOffUri from endimp.fcc ,if you want to terminate impersonator session as well.
b. I don't think this is possible. Once impersonations completes, this session is no different compared to the actual impersonatee session when he himself logged in.
c. I don't see any security risk in unprotecting endimp.fcc as all it is doing is terminating impersonatee session and getting back to impersonator session followed by redirection to impersonator resource. If there are no existing session (considering unprotected access) then all it will do is redirection to impersonator resource which will be challenged anyway as there is no existing session.
Ujwol's Single Sign-On Blog