Tech Tip - CA Single Sign-On:Policy Server: How to configure Impersonation?

Document created by Ujwol Shrestha Employee on Feb 28, 2016Last modified by kristen.palazzolo on Dec 17, 2016
Version 6Show Document
  • View in full screen mode

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Feb 28, 2016

 

Problem Summary

 

Impersonation provides a method for a privileged user to:

  • Assume the role of another user without ending the session of the privileged user.
  • Temporarily assume the identity of another user.

Impersonation does not require users to disclose passwords for one user to impersonate another.

 

In this article we will discuss in detail how to configure impersonation in CA Single Sign-On r12.5x.

 

Configuration Overview

 

This section discusses the overall configuration process to configure Impersonation feature in CA Single Sign-On r12.5x

1. SiteMinder Policy Configuration.

a. Create Impersonation Authentication Scheme

b. Create Impersonator Domain with two realms:

     Realm 1  : impersonator

                              Authentication Scheme : HTML (Or any other authentication scheme)

                              Protects : /impersonator/

                              Rule 1 : GetPost-Impersonator

                                          Resource = *

                                          Action = Get, POST

     Realm 3  : startImpersonation

                              Authentication Scheme : Impersonation

                              Protects : /startimpersonation/

                              Rule 1 : GetPost-startImpersonation

                                          Resource = *

                                          Action = Get, POST

                              Rule 2 : ImpersonateStart

                                          Resource = *

                                          Action = ImpersonateStart

                              Rule 3 : ImpersonateStartUser

                                          Resource = *

                                          Action = ImpersonateStartUser

     Realm 3  : impersonatee

                              Authentication Scheme : HTML (Or any other authentication scheme)

                              Protects : /impersonatee/

                              Rule 1 : GetPost-Impersonatee

                                          Resource = *

                                          Action = Get, POST

                              Rule 2 : ImpersonateStart

                                          Resource = *

                                          Action = ImpersonateStart

                              Rule 3 : ImpersonateStartUser

                                          Resource = *

                                          Action = ImpersonateStartUser

c. Create Policies for Impersonation:

     Policy 1 : Impersonators

                              Users  : Help-Desk

                        Rule 1  : GetPost-Impersonator from impersonator realm

Rule 2 : ImpersonateStart from impersonatee realm

Rule 3 : ImpersonateStart from startImpersonation realm

     Policy 2 : StartImpersonation

                              Users : Customers

                        Rule 1 : GetPost-startImpersonation from startImpersonation realm

Rule 2 : ImpersonateStartUser from startImpersonation realm

     Policy 3 : Impersonatees

                        Users : Customers

                        Rule 1 : GetPost-Impersonatee from impersonatee realm

Rule 2 : ImpersonateStartUser from impersonatee realm

 

d. Protect startimp.fcc by setting the OverrideIgnoreExtFilter ACO parameter to startimp.fcc as below :

    OverrideIgnoreExtFilter=/impersonator/startimp.fcc

e. Disable FCCOMPATMode by setting FCCCompatMode ACO parameter to No :

    FCCCompatMode = No  

2.   Create files required for Impersonation

      1. Create FCC file to start Impersonation - startimp.fcc

                  Place this file under /impersonator/ directory

      1. Create FCC file to end Impersonation - endimp.fcc

                  Place this file under /impersonatee/ directory

 

Testing

 

  1. Access /impersonator/index.asp and login with Help Desk Administrator (Impersonator) Credential.
  2. Click link - "Start Impersonation". This opens Url : /impersonator/startimp.fcc
  3. Impersonator is now prompted to enter the user ID of the person to be impersonated (impersonatee). Enter the Impersonatee User ID and click button - "Impersonate"
  4. Impersonation now completes and the impersonator is redirected to the success.asp page from startimpersonation realm as impersonatee user.
  5. From here on, the impersonator can access resource from impersonatee realm by clicking button
  6. To end impersonation, click link -" End Impersonation". This will open Url : /impersonatee/endimp.fcc.
  7. Impersonation now ends and the user is redirected to the target configured in endimp.fcc which is /impersonator/index.asp.

 

Screenshots - Configuration

 

Fig 0 : Impersonation Authentication Scheme

2016-02-28_19-52-22.jpg

 

Fig 1 : Impersonation Domain

2016-02-28_19-47-28.jpg

Fig 2 : Realms

Fig 3 : Impersonator Realm

Fig 4 : GetPost-Impersonator Rule

2016-02-28_19-49-23.jpg

Fig 5 : Impersonatee Realm

Fig 6 : GetPost-Impersonatee Rule

2016-02-28_19-49-53.jpg

Fig 7 : ImpersonationStartUser Rule

2016-02-28_19-50-08.jpg

Fig 8 : ImpersonationStart Rule

2016-02-28_19-50-23.jpg

Fig 9 : startImpersonation Realm

Fig 10 : GetPost-startImpersonation Realm

Fig 11 : ImpersonateStart -startImpersonation Realm

Fig 12 : ImpersonateStartUser -startImpersonation Realm

Fig 13 : Impersonators Policy-->Users

2016-02-28_19-50-53.jpg

Fig 14 : Impersonators Policy --> Rules

Fig 15 : Impersonatees Policy --> Users

2016-02-28_19-51-45.jpg

Fig 16 : Impersonatees Policy --> Rules

Fig 17 : StartImpersonation Policy --> Users

Fig 18 : StartImpersonation Policy --> Rules

Fig 19 : ACO : OverrideIgnoreExtFilter

2016-02-28_19-52-56.jpg

Fig 20: ACO : FCCCompatMode

2016-02-28_19-53-11.jpg

Fig 21: Impersonatee Directory structure

2016-02-28_19-55-38.jpg

Fig 22: Impersonator Directory structure

2016-02-28_19-56-39.jpg

Fig 23: startImpersonation Directory structure

 

Fig 24: FCC to start Impersonation -startimp.fcc

Fig 24: FCC to end impersonation - endimp.fcc

2016-02-28_19-57-44.jpg

Screenshots - Testing

 

Fig 0: Access Impersonator resource and login as Impersonator

Fig 1: Click link - Start Impersonation

2016-02-28_22-04-00.jpg

Fig 2: Provide User Id of the Impersonatee and click button - Impersonate

2016-02-28_22-04-24.jpg

Fig 3 : Impersonation completes successfully and redirects to impersonatee resource /startimpersonation/success.asp which is protected by impersonation authentication scheme. Click link -Browse Impersonatee Realm to browse other impersonatee resources which are not protected by Impersonation authentication scheme (e.g protected by Basic/HTML or Custom Authentication scheme)

Fig 5: Impersonation completes and redirects to imeprsonatee resource /impersonatee/index.asp. Click link -End Impersonation to end Impersonation

2016-02-28_22-04-39.jpg

Fig 6: Impersonation ends and redirects back to the Impersonator resource /impersonator/index.asp

2016-02-28_22-05-03.jpg

 

Attachments:

  • All the sample files
  • Fiddler from Impersonation Testing

 

References

Impersonation - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

2 people found this helpful

Outcomes