Impersonation error when creating a token using runtimeAPI.createToken

2 years ago

Originally Published: 2013-06-06

Article Number

000052696

Applies To

RSA Access Manger AdminAPI
RSA Access Manager 6.1
RSA Access Manager version 6.2

Issue

Impersonation error when creating a token using runtimeAPI.createToken
The following error is logged in the eserver standard output file in DEBUG mode:

15:29:33:115 [*] [MuxWorker-10] - result: {EXCEPTION_TYPE=TokenException, EXCEPTION_MESSAGE=Impersonation is allowed only for administrative user}

Cause

This error occurs when using runtimeAPI.createToken() or RunTimeAPI .setTokenValue() on the token map of a token of an authenticated user. When a token is created with an authenticate method the token is populated with several default keys including SC_IMPERSONATED_ID. No errors are generated when the token is created as the result of the authentication call, but any attempts to subsequently modify the token map and create a new token afterwards will generate this error. User impersonation is a new feature introduced in Access Manager 6.1 that is supposed to ensure that tokens created by a user other than the authenticated user are created through the impersonation API. The check for an impersonation ID in the token incorrectly occurs even if cleartrust.aserver.impersonation.enable=false is set in the aserver.conf file.

Resolution

Before calling the create token method remove the key the token key for impersonation with the remove method. This will prevent check for a valid impersonation from being made.

values.remove(TokenKeys. SC_IMPERSONATED_ID);

This error should not occur when cleartrust.aserver.impersonation.enable=false. This will be fixed in a future service pack.

Workaround

Upgraded from 6.0 to 6.1

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles