Policy Server Guides › Policy Server Configuration Guide › Authentication Schemes › Impersonation Authentication Schemes

Impersonation Authentication Schemes

By configuring a series of Policy Server objects, you can allow privileged users to impersonate other users. This feature is useful in situations where a helpdesk or customer service representative must troubleshoot problems for a customer, or when an employee is out of the office. Part of the impersonation process requires an impersonation authentication scheme which allows a privileged user to begin the impersonation process, identify the user to be impersonated (impersonatee), and establish an impersonation session. This authentication scheme is similar to the HTML Forms authentication scheme.

More information:

Impersonation

Impersonation Scheme Prerequisites

Verify that the following prerequisites are met before configuring an Impersonation authentication scheme:

• A customized .fcc file resides on a Web Agent server in the cookie domain in which you want to implement impersonation. CA provides sample .fcc files under the /forms subdirectory, where you installed your Web Agent.

  For general details about composing .fcc files, see SiteMinder FCC Files. For information about specific .fcc file requirements for impersonation, see Enable Impersonation through an .fcc File.

• Directory connections exist between the Policy Server and the user directories containing impersonators and impersonatees.
• The following default HTML forms library, which handles authentication processing is installed on the Policy Server:
  • smauthimpersonate.dll on Windows
  • smauthimpersonate.so on Solaris

  These libraries handle authentication processing These files are installed automatically when you install the Policy Server.

Note: Directory mapping does not support impersonation. The impersonatee, the user being impersonated, must be uniquely present in the authentication directories that are associated with the domain or the impersonation fails.

More information:

User Directories

Configure an Impersonation Authentication Scheme

You use an Impersonation authentication scheme to let privileged users impersonate other users.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

1. Click Infrastructure, Authentication.
2. Click Authentication Schemes.

   The Authentication Schemes page appears.

3. Click Create Authentication Scheme.

   Verify that the Create a new object of type Authentication Scheme is selected.

4. Click OK

   The Create Authentication Scheme page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Enter a name and a protection level.
6. Select Impersonation Template from the Authentication Scheme Type list.

   Scheme-specific fields and controls appear.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

7. Enter the server name and target information.
8. Click Submit.

   The authentication scheme is saved and can be assigned to a realm.