Previous Topic: Legacy Federation Authentication SchemesNext Topic: Certificate Mapping and Validity Checking for X.509 Certificates


Impersonation Authentication Schemes

By configuring a series of Policy Server objects, you can allow privileged users to impersonate other users. This feature is useful in situations where a helpdesk or customer service representative must troubleshoot problems for a customer, or when an employee is out of the office.

Part of the impersonation process requires an impersonation authentication scheme, which allows a privileged user to begin the impersonation process, identify the user to be impersonated (impersonatee), and establish an impersonation session. This authentication scheme is similar to the HTML Forms authentication scheme.

Impersonation Scheme Prerequisites

Verify that the following prerequisites are met before configuring an Impersonation authentication scheme:

Note: Directory mapping does not support impersonation. The impersonatee, the user being impersonated, must be uniquely present in the authentication directories that are associated with the domain or the impersonation fails.

More information:

User Directories

Configure an Impersonation Authentication Scheme

You use an Impersonation authentication scheme to let privileged users impersonate other users.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.

    Verify that the Create a new object of type Authentication Scheme is selected.

    Click OK

  4. Enter a name and a protection level.
  5. Select Impersonation Template from the Authentication Scheme Type list.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  6. Enter the server name and target information.
  7. Click Submit.

    The authentication scheme is saved and can be assigned to a realm.