|
|
|
While impersonating a customer, an impersonator's session specification will look to SiteMinder much like the session specification of any customer. The major difference is that the impersonator's distinguished name and the user directory in which the impersonator originally authenticated will be present as additional fields. This allows all impersonated access to resources to be passed through additional checks. It also allows the Policy Server to record impersonated activities for auditing.
The impersonated session specification is also used to prevent impersonation chaining. When the Policy Server determines that the fields for the impersonator DN and user directory are in use, it will not allow further impersonation and will reject the login attempt. This stops impersonators from stacking one impersonation on top of another to gain access to otherwise restricted resources.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |