Impersonation Authentication Schemes

By configuring a series of Policy Server objects, you can allow privileged users to impersonate other users. This feature is useful in situations where a helpdesk or customer service representative must troubleshoot problems for a customer, or when an employee is out of the office.
sm1252sp1
By configuring a series of Policy Server objects, you can allow privileged users to impersonate other users. This feature is useful in situations where a helpdesk or customer service representative must troubleshoot problems for a customer, or when an employee is out of the office.
Part of the impersonation process requires an impersonation authentication scheme, which allows a privileged user to begin the impersonation process, identify the user to be impersonated (impersonatee), and establish an impersonation session. This authentication scheme is similar to the HTML Forms authentication scheme.
Impersonation Scheme Prerequisites
Verify that the following prerequisites are met before configuring an Impersonation authentication scheme:
  • A customized .fcc file resides on a Web Agent server in the cookie domain in which you want to implement impersonation. CA provides sample .fcc files under the /forms subdirectory, where you installed your Web Agent.
    For general details about composing .fcc files, see
    CA Single Sign-On
    FCC Files. For information about specific .fcc file requirements for impersonation, see Enable Impersonation through an .fcc File.
  • Directory connections exist between the Policy Server and the user directories containing impersonators and impersonatees.
  • The following default HTML forms library, which handles authentication processing is installed on the Policy Server:
    • smauthimpersonate.dll on Windows
    • smauthimpersonate.so on Solaris
    These libraries handle authentication processing These files are installed automatically when you install the Policy Server.
Directory mapping does not support impersonation. The impersonatee, the user being impersonated, must be uniquely present in the authentication directories that are associated with the domain or the impersonation fails.
Configure an Impersonation Authentication Scheme
You use an Impersonation authentication scheme to let privileged users impersonate other users.
sm1252sp1
The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
sm1252sp1
Follow these steps:
  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.
    Verify that the Create a new object of type Authentication Scheme is selected.
  4. Click OK.
  1. Enter a name and a protection level.
  2. Select Impersonation Template from the Authentication Scheme Type list.
  3. Enter the server name and target information.
  4. Click Submit.
    The authentication scheme is saved and can be assigned to a realm.