How to set up impersonation within same domain?
Article ID: 53637
Updated On:
Products
Issue/Introduction
Description:
Step by step description on how to set up impersonation.
Solution:
Configuring and Testing Impersonation on Siteminder version 6
Objective: Configuring Customer service representatives (CSRs) to impersonate customer. Impersonator access customer application to verify impersonation process is success.
Impersonator : The privileged user that has the ability to impersonate the identities of other users.
Impersonatee : The user whose identity can be impersonated by a privileged user.
Two folders impersonators and impersonatee located in your web server holding impersonation web resource.
Both Impersonator and Impersonatee in same Domain
Procedures:
- Create Impersonators realm with 1 rule.
- Impersonators Realm
- Resource Filter: /impersonators/
- Authentication Scheme: Basic
- Rule 1: Access Rule for Impersonation Admin
- Resource: *
- Action: Get/Post
- Create Impersonatee realm with 3 rules.
- Impersonatee Realm
- Resource Filter: /impersonatee/
- Authentication Scheme: Impersonation
- Rule 1: Access Rule to Impersonatee Resource
- Resource: *
- Action: Get
- Rule 2: Impersonate Start
- Resource: *
- Action: ImpersonateStart
- Rule 3: Impersonate Start User
- Resource: *
- Action: ImpersonateStartUser
- Create 2 rules at realm(s) that you want impersonator to access. If you didn't set these 2 rules, impersonator will get SMAUTHREASON = 46 when she try to access the realm.
Ex:- Rule 1: Impersonate Start HTML
- Resource: *
- Action: ImpersonateStart
- Resource: *
- Rule 2: Allow Impersonatee HTML
- Resource: *
- Action: ImpersonateStartUser
- Resource: *
- Rule 1: Impersonate Start HTML
- Create 4 policies for impersonator and impersonatee.
- Policy 1: Impersonation Admin Policy
- Users: impersonator
- Rule 1: Access Rule for Impersonation Admin (Impersonators realm)
- Policy 2: Impersonator and Impersonatee Resource
- Users: impersonator and impersonatee
- Rule 1: Impersonate Start HTML
- Rule 2: Allow Impersonatee HTML
- Rule 3: Access Rule to Impersonatee Resource (Impersonatee realm)
- Policy 3: Impersonate Start
- Users: impersonator
- Rule 1: Impersonate Start (Impersonatee realm)
- Policy 4: Impersonate Start User
- Users: impersonatee
- Rule 1: Impersonate Start User (Impersonatee realm)
- Testing
- Login with impersonator id and password.
- Go to http://<FQDN>/impersonators/startimp.fcc
- Enter impersonatee user id.
- Test the application as the customer.
startimp.fcc
<!-- SiteMinder Encoding=ISO-8859-1; --> @username=%USER% @smheaders=SM_SERVERSESSIONSPEC @password=%SM_SERVERSESSIONSPEC% @smpushsession=true @smretries=0 @smerrorpage=/impersonators/imperror.html
<html>
<head><title>Sample Impersonation Form</title><head>
<script type="text/javascript">
function load()
{
document.cookie = "SMSAVEDSESSION=; path=/; domain=idp.dev; expires=Thu, 01-Jan-70 00:00:01 GMT";} </script>
<body onload="load()">
<h3> Please enter your Impersonation Information</h3>
<form method=post>
<table>
<tr>
<td>User Name:</td>
<td><input type=text name=USER></td>
</tr>
<input type=hidden name=target value="/impersonatee/index.asp">
<INPUT TYPE=HIDDEN NAME="AGENTNAME" VALUE="producer.idp.dev">
<tr>
<td>
<input type=submit>
</td>
</tr>
</table>
</form></body>
</html>
** Please note there is a java script function in startimp.fcc. This function will automatically run when startimp.fcc is being load. The reason to add in this function is to prevent Impersonation Session Initiation gives Error (session already pushed) second time onwards in same browser window where original session times out. The function will ensure SMSAVEDSESSION get deleted after session timeout.
The target value of startimp.fcc is redirect to "/impersonatee/index.asp". This is customer application sample page. If you don't have any sample page to test, following is the sample jsp file that may help you to test for the impersonation.
headers.jsp
<html>
<head>
<title> Impersonation Page </title>
</head>
<body>
<%@ page import="java.util.*" %>
<hr>
<A HREF="/impersonators/startimp.fcc"
title="Click Here to Impersonate a User">Impersonate a User</a>
<br>
<A HREF="/impersonators/endimp.fcc"
title="Click Here to End an Impersonated Session">End Impersonation</a>
<hr>
<%
String strUser = "sm_user";
String strUserDN = "sm_userdn";
String strImpDirName = "sm_userimpersonatordirname";
String strDomino = "SM_DOMINOCN";
String strimpName = "sm_userimpersonatorname";
String strsmauthdirname = "SM_AUTHDIRNAME";
String strValue = "";
Enumeration headerNames = request.getHeaderNames();
while(headerNames.hasMoreElements())
{
boolean bBold = false;
String headerName = (String)headerNames.nextElement();
if(headerName.equals(strUser) || headerName.equals(strUserDN)||
headerName.equals(strImpDirName)|| headerName.equals(strDomino))
{
bBold = true;
}
bBold=true;
if(bBold){
out.print("<b>");
out.print(headerName);
out.print(" = ");
out.println(request.getHeader(headerName) + "<BR>");
out.print("</b>");
}
}
out.println("<BR><BR>" + "Cookies" + "<BR>");
Cookie [] cookies = request.getCookies();
for (int i = 0;i < cookies.length;i++){
out.print(cookies[i].getName());
out.print(" = ");
out.println(cookies[i].getValue() + "<BR>");
}
%>
</body>
</html>
Lastly, user can end the impersonation by having a button redirect to endimp.fcc. Following is sample of endimp.fcc.
endimp.fcc
<!-- SiteMinder Encoding=ISO-8859-1; --> @smpopsession=true @target=/impersonators/index.asp @smredirect=/impersonators/index.asp
Environment
Component: SMPLC
Feedback
