Impersonation originates in realm specifically configured to begin the Impersonation process. When an impersonator requests a resource in the impersonation realm, the impersonator is challenged by an impersonation authentication scheme. The scheme prompts the impersonator for credentials via a form. Instead of prompting for a username and a password as is usual, the form prompts the impersonator to supply the username of an impersonatee. Within the .fcc file for the form, there is logic that sets the password to the impersonator’s current Session Specification.
The Policy Server uses the impersonation authentication scheme to verify that the impersonator’s current session is valid, and then the Policy Server attempts to find the user to be impersonated in the directories included in the policy domain associated with the impersonation realm. If the Policy Server finds the user, authentication proceeds.
Once the Policy Server locates the impersonatee in a directory, it must verify that the impersonator has the right to impersonate, and that the potential impersonatee can be impersonated. These rights are configured and enforced using CA SiteMinder® Policies and Rules, as well as two impersonation events.
Impersonation events are similar to authentication and authorization events, but are not passively invoked. Policies must specifically bind both the impersonator and the impersonatee to Impersonator event rules. If policies do not exist, or do not include impersonator event rules for the impersonator and for the impersonatee, impersonation will not be allowed.
Impersonation can be allowed or disallowed in any Realm using CA SiteMinder® policies and rules with impersonation events. Realms can be configured to disallow all impersonation, or to restrict possible impersonators and impersonatees.
Copyright © 2013 CA.
All rights reserved.
|
|