eTrust SiteMinder supports Impersonation, where one authorized user can access what another user can access. With impersonation, a customer service representative (CSR), for example, can act on behalf of users to run tasks for them that they otherwise might not want to, or know how to, run themselves.
The CSR may require to login to a customer’s account, in order to help, or solve a problem for the customer. But as a CSR cannot be in possession of the customer’s password, SiteMinder has a mechanism that allows a CSR to login using the customer’s username only. In this way customer’s credentials are private to the customer only.
eTrust SiteMinder makes sure that impersonation is a secure operation that only entitled users can impersonate other users.
This feature facilitates the following:
1. Customer service representatives (CSRs) impersonate customers to investigate access problems.
2. Helpdesk representatives impersonate employees to investigate access problems.
3. Employees impersonate co-workers who are on vacation or out of the office.
4. Any other situation in which one user must temporarily assume the identity, of another user.
Administrators set up impersonation as an eTrust SiteMinder rule in a policy. In this way, impersonation can be very finely controlled because policies can define exactly who can impersonate whom for which resources within a realm.
This chapter explains about eTrust SiteMinder CSR Impersonation and the sequence for implementing the CSR Impersonation which includes configuring Authentication Scheme, Realms, Rules and Policies.
Pre-Requisite :
There are two independent applications available; one is for Impersonators (Administrator Application) and another is for Impersonatees (End user Application). The Impersonation task/link is available in Administrator Application.
Administrator Application and End user Application has been already deployed and protected using their own Authentication schemes.
To Impersonate an End User, the CSR logs into the Administrator Application with his credentials from here he navigates to the Impersonation task/link (/impersonation/start_imp.fcc) and reaches the Impersontee’s Login page (start_imp.fcc). Here he enters the Impersonatees userid/Login name on the provided text box. On success of Impersonation control goes to the target.jsp page which will have link to End user Application else displays the respective customized error message.
Implementation :
Proxy Server / Web Agent Configurations:
1.Copy the impersonation & impersonationtarget folder into your web server’s virtual host location and Restart your web server.
- For Apache web server paste into Installed Location:\DocumentRoot\
- For IIS web server paste into Installed Location:\Inetpub\wwwroot\
•impersonation folder will have the following two files which are protected by using your Administrator Application Auth scheme or as per your requirement.
i.start_imp.fcc
This is the page where CSR has to enter the Impersonatee’s userid/Login name to impersonate the user. On success of Impersoantion control will go to the target.jsp which has the link for End user Application. If not you can display the customized error message with specific reason.
ii.end.html
It will just display the message like Impersonation session has ended and will have link to the Admin application.
•impersonationtarget folder will have only one jsp and it should be protected by using Impersonation Authentication scheme.
i.target.jsp
It will have link to the End user application and end.html. If CSR clicks on the End User Application URL control will go to the End user application directly without prompting for user’s credentials and CSR can act on behalf of users to run tasks . If CSR doesn’t want to access the End user application then he has to click on the end.html link. It will take CSR to the Admin application.
SiteMinder configurations :
1.Under the “System” tab, Modify your Agent Configuration Object as follows:
FCCCompatMode - yes
FCCExt - .fcc (If you want to use some other file extension like .sec instead of .fcc, please specify here)
IgnoreExt – Please specify your file extension If you don’t want to apply SiteMinder Policies to this file extension.
2.Under the “System” tab, create a new authentication scheme with the following details:
Name: ImpAuthscheme
Description: Impersonation Authentication Scheme
Authentication Scheme Type: Impersonation Template
Authentication Level: 5 or as per your requirement
Scheme Setup
Web Server Name: your webserver name
Target: /impersonation/start_imp.fcc
3.Click on the domains tab, under your End user Application domain, create two new realms as below.
1. /impersonation realm
Name: /impersonation
Agent: Your agent name
Resource Filter: /impersonation
Authentication Scheme: Your Administrator Application Auth scheme or as per your requirement
2. /impersonationtarget realm
Name: /impersonationtarget
Agent: Your agent name
Resource Filter: /impersonationtarget
Authentication Scheme: ImpAuthscheme
4.Under the /impersonation realm, create getpostall, impStartRule and impStartUserRule rules as below.
•Name : getpostall
Resource: *
Web agent Action: Get, Post
•Name : impStartRuleResource: *
Action:
Impersonation events: ImpersonateStart
•Name : impStartUserRule
Resource: *
Action:
Impersonation events: ImpersonateStartUser
5.Under the /impersonationtarget realm, create getpostall, impStartRule and impStartUserRule rules as below.
•Name : getpostall
Resource: *Web agent
Action: Get, Post
•Name : impStartRuleResource: *
Action:
Impersonation events: ImpersonateStart
•Name : impStartUserRule
Resource: *
Action:
Impersonation events: ImpersonateStartUser
6.Under Your End user Application realm, create impStartRule and impStartUserRule as below.
•Name : impStartRule
Resource: *
Action:
Impersonation events: ImpersonateStart
•Name : impStartUserRule
Resource: *
Action:
Impersonation events: ImpersonateStartUser
Note:If you have more than one realm for your End user Application, create impStartRule and impStartUserRule under all the realms whichever comes under your Impersonation track.
7.Create a policy ImpersonationGetPostAll. This policy will be applied to both Impersonator and impersonatees.
Modify this policy to include the following
rule:•
getpostall (from /impersonation realm)
8.Create a policy ImpersonationStartImp. This policy will be applied to Impersonator only.Modify this policy to include the following
rule:•
impStartRule (from /impersonation realm)
9.Create a policy ImpersonationStartUser. This policy will be applied to impersonatees only. Modify this policy to include the following
rule:•
impStartUserRule (from /impersonation realm)
10.Create a policy TargetAppGetPostAll. This policy will be applied to both Impersonator and impersonatees.
Modify this policy to include the following
rules:•
getpostall (from /impersonationtarget realm)
11.Create a policy TargetAppStartImp. This policy will be applied to impersonatees only. Modify this policy to include the following
rules:•
impStartRule (from /impersonationtarget realm)
•impStartRule (from /impersonation realm)
•impStartRule (from /your End user Application realm)
(If you have more than one end user application Realms, then add all the ImpStartRule from your respective realms into this policy)
12.Create a policy TargetAppStartImpUser; this policy will be applied to impersonatees only.Modify this policy to include the following
rules:
•impStartUserRule (from /impersonationtarget realm)
•impStartUserRule (from /impersonation realm)
•impStartUserRule (from /your End user Application realm)
(If you have more than one end user application Realms, then add all the ImpStartUserRule from your respective realms into this policy)
Best practices:
If you copy Impersonation related files from a Windows host to a Unix systems results in the appending of ^M (control M) characters in end of each line. So convert all the windows compatible files to Unix compatible files before copying.
References :
http://www.ca.com/
