Policy Server 12.8
Web Agent on Apache 2.4 on RHEL;
Web Agent Option Pack on Tomcat 7.x, on;
IdP on IBM Tivoli;
As you configured Legacy Federation - setup SAML 2.0 Auth Scheme,
HTTP-POST binding will NOT be an option. This has been a product
limitation for a long time regarding Legacy Federation feature itself.
However, Siteminder also has another Federation model, called
Partnership, which does support HTTP-POST bindings.
If IDP is also Siteminder, then IDP must meet the following
Enable SAML 2.0 HTTP-POST Binding
"Important! Before you configure the authentication request binding,
enable the session store. For the IdP to handle an authentication
request that is delivered using HTTP-POST binding, the IdP must store
the request in the session."
Notice the difference between Partnership Federation and Legacy
Federation models is that, Legacy Federation is tightly combined with
smsession security protection, as Partnership Federation is less
integrated with security protection and more focused on Federation
Please see details at:
Implementing Federation in Your Enterprise
CA Single Sign-On Federation has two deployment models:
Partnership federation is based on configuring partnerships between
enterprises based on federation standards. The partnership model does
not require configuration of CA Single Sign-On-specific objects, such
as domains, realms, and policies. This model is recommended for new
configurations using CA Single Sign-On Federation.
Legacy Federation (formerly Federation Security Services).
Legacy federation is based on configuring CA Single Sign-On objects,
such as affiliate domains, authentication schemes, and policies to
protect federated resources. This model is primarily for backward
compatibility with older deployments.