Siteminder Impersonation

Definition: Impersonation is a method where a Priveleged User assumes the identity of another user,without losing the privileged users session.

Example:

Admin URL : www.xyz.com  

Target URL: www.xyz.com/imperso/targetURL

EndUser Application : www.xyz.com/application

Impersonator : Priveleged User who can assume the identity of another user

Impersonatee :A User whose identity is assumed by the Impersonator

Request Flow:

1)Impersonator logs into Admin URL www.xyz.com which is protected by Siteminder .

Siteminder creates a SMSESSION for the Impersonator.

2)Impersonator clicks on the Target URL: www.xyz.com/imperso/targetURL which initiates Impersonation Journey since the Target URL is protected by Impersonation Authentication Scheme

Impersonation Authentication Scheme prompts for Impersonatee’s user name

3)Impersonator lands to the Target URL  as a Impersonatee

Siteminder creates a SMSESSION for Impersonatee and saves the Impersonators session as SMSAVEDSESSION

4)Now Impersonator assumes the identity of Impersonatee and access the End User Application.

5)Impersonator clicks logout to end Impersonation journey which does the following,

SMSAVEDSESSION Cookie of Impersonator gets restored to SMSESSION and SMSAVEDSESSION returns a NULL value

 

Siteminder Configurations:

In the above example ,Consider Imperso.fcc,Impersologout.fcc and TargetURL are placed under www.xyz.com/imperso/

Realm 1:Create a realm for /imperso/

Authentication Scheme : Impersonation Auth Scheme [www.xyz.com/imperso/Imperso.fcc ]

Rules : Get/Post,ImpersoStart,ImpersoStartUser

Realm 2 for Admin URL[It will be an existing realm which creates a SMSESSION for the Impersonator]

Authentication Scheme: HTML Forms Authentication Scheme

Rules:Get/Post [existing Rules]

Realm 3 for EndUser Application :[Existing Realm]

Rules:Create a ImpersoStart and ImpersoStartUser Actions for all the each existing Rules.

Policies:

Impersonator Policy :

Add all the ImpersoStart Rules under this policy.

User Group:Only Impersonator

Impersonatee policy:

Add all the ImpersoStartUser Rules under this policy.

User Group:Only Impersonatee

Access policy:

Add Get/Post Rule from Realm 1

As part of Impersonation,Imperso.fcc file as to be protected,Since FCC files are ignored as part of IgnoreExt parameter in ACO,Create the following:

OverrideIgnoreExt = /Imperso.fcc

Hope this Documentation Helps!!!Any Queries please comment