Customer has set up CA Clarity as an SP application, allowing federated users to access it via deep link (RelayState). When a user is already authenticated at the IDP, the application is working as expected, however, when the user is not already authenticated at the IDP the user receives an error when arriving at the application. Customer can change the URL encoding of the initial request so that unauthenticated users would no longer receive an error, however, this was merely toggling the problem to already authenticated users. The SP was unable to find an initial URL that works for all users.
Release : ALL
Component : SITEMINDER - FEDERATION
Since the IDP in this case was also running Siteminder, another effective solution to this would have been for the IDP to protect the IDP-initiated URL with an equivalent auth scheme that omits the encoding. For instance, they would create a new Siteminder realm that protects the following:
Assign an appropriate auth scheme to the realm (here the IDP could make a copy of the customized HTML login form and remove the encoding functionality from it, creating a new auth scheme with this file as the Target). This would assure any unauthenticated users who request this federation application pass through this non-encoding auth scheme rather than the auth scheme protecting the Authentication URL that has been assigned to the partnership.
The high-level behavior of the saml2sso URL is simple. If the user is already authenticated, saml2sso will process the request. If the user is not already authenticated, saml2sso will determine which partnership the unauthenticated user is requesting and redirect the user to the configured Authentication URL.