At the Service Provider (SP) end of the Federation, the SiteMinder documentation doesn't state in detail about each parameter of the below function in the Message consumer Plugin (1).

1. Should postDisambiguate() be called from init()?
2. The "output" parameter in the postDisambiguate(APIContext apiContext, UserContext userContext, String parameters, String message, Map props, String loginID, StringBuffer output) which of type Stringbuffer, should it be set to the new SAML assertion that will need to be modified?
3. Once the output is set, does SiteMinder process this SAML assertion(output) again to disambiguate the user?
    

1. No. This method is called only once during initialization. Modify this method if the plugin requires any initialization steps OR just return true.
2. As mentioned in the documentation, this method is only called when the disambiguation of the user fails. The "output" parameter should be set to the "user identifier value" with which the user directory search should be performed. Do NOT add the SAML assertion in the output parameter.
3. Once the output parameter is set, SiteMinder will try to disambiguate the user with the output parameter value but the assertion will not be updated. The assertion will remain the same.

NOTE:

The postDisambiguate method in the plugin will only help to disambiguate the user with a different value and does not update the assertion.

1. Customize Assertion Processing with the Message Consumer Plug-in for WS-Federation