The session specification of the impersonator is treated like the session specification of any customer. The major difference is that the distinguished name of the impersonator and the user directory in which the impersonator originally authenticated are present as extra fields. The extra fields let:
The impersonated session specification is also used to prevent impersonation chaining. If the Policy Server determines that the fields for the impersonator DN and user directory are in use, it does not allow further impersonation and rejects the login attempt. This action stops impersonators from stacking one impersonation on top of another to gain access to otherwise restricted resources.
The protection level at which an impersonator originally authenticated is not checked during impersonation. Normally, when accessing resources in a new realm that an authentication scheme is protecting at a higher level, the user is challenged for new credentials. However, an impersonator is a privileged user, so these types of challenges do not occur during an impersonation session. Protection levels are meant to indicate the strength of the credentials that are used to access resources in a realm. There are no credentials specific to the user being impersonated during impersonation. As a result, protection levels are not considered.
Note: When the impersonated session ends, protection levels are enforced as expected.
During an impersonated session, the original session of the impersonator can possibly idle out. This depends on the idle timeout value for the realm in which the impersonator originally authenticated. If the impersonator exceeds the original idle timeout value, the impersonation session ends with the original session of the impersonator. To avoid this situation, increase the session idle timeout for realms in which impersonators commonly authenticate.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|