How Authorization works in Identity Manager when "Enable admin_id (allow impersonation)" and "SiteMinder Basic Authentication" are set for TEWS call
Article ID: 210472
Updated On:
Products
Issue/Introduction
I have an IM (Identity Manager) system that is integrated with SiteMinder.
I have selected "Enable Execution", "Enable WSDL Generation", "Enable admin_id (allow impersonation)", "Admin password is required" for "Web Services" for the IM environment. "SiteMinder Authentication" is set to "Basic Authentication", this means TEWS is protected by SiteMinder as well.
My question is when making TEWS calls, if I am authenticated to SiteMinder as a normal user and I put the ID of the super user (e.g. imadmin) in the SOAP request ("<wsdl:admin_id>imadmin</wsdl:admin_id>"), how is IM going to make the authorization decision about this TEWS call ? Is the authorization based on the normal user's privileges in IM or the super user's privileges in IM ?
Environment
Identity Manager 14.x
SiteMinder 12.8
Resolution
As you have enabled the "Enable admin_id (allow impersonation)" the task will run under the context of specified admin_id user within SOAP XML. SiteMinder will only do Authentication. You can use different user credentials in the SOAP Authorization header to be authenticated with SiteMinder, however admin_id which is specified within the SOAP XML will determine what user runs the task in IM.
So this means, if a user with less privilege is authenticated by SiteMinder, and more privilege user is specified as admin_id within the SOAP XML request then IM will run the task under the more privilege user.
Below I have specified admin_id as imadmin within SOAP XML while the credentials in Authorization header is my sample user which has been blocked out. A normal user who doesn't have privilege to run the "My Modify User" task. The SOAP call was successful.
Feedback
