[SiteMinder] Basic Federation Setup


Article ID: 196923


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER


This is to demonstrate a simple federation setup.

In this demo, SiteMinder Policy Server 12.8SP3 and Access Gateway 12.8SP3 is used.




Policy Server

   - Policy Store

   - Session Store (enabled)

   - User Store (has 'user1')

   - AdminUI


Access Gateway

   - DNS Name 'www.idp.lab'

   - https enabled with proper certificate issued by CA

   - Federation Web Services is enabled

   - Backend IIS (listening on

   - ProxyRule.xml configured to forward all requests to backend IIS

   - protecting '/siteminderagent/redirectjsp/redirect.jsp' with Persistent Realm and HTML Authentication Scheme. (Only required at the IDP side)

   - IDP user 'user1' is able to logon to above realm.



   - DNS Name 'www.sp.lab' (Do not use same domain as the IDP. Not that it is not possible but this is for who are new to Federation and it will make things complicated and confusing)

   - Same as IDP.

   - server.conf set with preservehostheader=yes (This is not required unless your application is proxied via access gateway)

   - IIS is hosting an application on /application/ (This is Service Provider side application for IDP users to access)

   - Above is protected by HTML Authentication Scheme.

   - SP side user 'user1' is allowed to logon and access above resource.


If you are unable to satisfy the above, would highly recommend attending SiteMinder Training courses.

Please contact your Broadcom Account Director to get more details.


Release : 12.8.03




Generate a keypair for signing assertion. We will use self-signed cert for this purpose.


Create Local IDP Entity 'www.idp.lab'

Export Metadata



Generate a keypair for signing assertion. We will use self-signed cert for this purpose.


Create Local SP Entity 'www.sp.lab'


Export SP Metadata.



Import the SP-Metadata.xml


'spkey' does not appear immediately so click on "Get Updates" button to make spkey appear.

Modify the Partnership to associate SP-Entity.

Here you need to select the SP-Entity from drop-down menu.

And you need to select the Userstore that has 'user1'. In this demo, it is "IDP User Directory".

Allow ALL Users to federate.

Enter the unique attribute (in this demo it is "uid" user attribute) that will return a user. The syntax is '{User.Attribute}=%s'. %s is the place holder for the attribute value.

'https://www.idp.lab/siteminderagent/redirectjsp/redirect.jsp' is the AuthenticationURL which you should have protected in the Pre-Requisites stage.



Activate Partnership



Import 'IDP-Metadata.xml'


'idpkey' certificate would not appear so click on "Get Updates" to make it visible.


Update Partnership with the imported IDP entity.

Select the IDP entity from the drop-down menu and add the User store that contains 'user1' account.

<NameID> in assertion will provide the userID to search. (You can use other attributes in the assertion for user mapping via XPath but NameID is the default)

uid is the user attribute in the "SP User Directory" that will search for the unique username.

%s is the place holder for the username from <NameID> (or from XPath).

Select the desired method (Redirect or POST) and also select the check box for Remote SSO Service (in this demo, both are enabled).

Activate Partnership


Now both IDP2SP and SP2IDP partnerships are activated so you are able to test the federation setup.

SSO can be initiated by following URL:




SLO can be initiated by following URL:




It is highly recommended you install some kind of HTTP header capturing tools (fiddler is commonly used, browser plugins such as 'SAML Tracer' is also useful. If not, you can use "Developer Mode" in your browser)

If you are using fiddler, ensure you enable "Decrypt HTTPS" option.


[Trace log]

On the SPS side, you will find FWSTrace.log to be helpful in troubleshooting the federation issues.

Modify the "C:\Program Files\CA\secure-proxy\Tomcat\webapps\affwebservices\WEB-INF\classes\LoggerConfig.properties"

Restart the Access Gateway services.


On the Policy Server side, select the respective template.

Launch smconsole.bat, "Enable Profiling" and navigate to the Profiler tab and set as below.

If you are IDP, load "samlidp_trace.template"

If you are SP, load "samlsp_trace.template"

Click "Load Template", OK and OK to save and exit.

If your federation fails, check the header trace(such as fiddler) first as that will provide most of the reasons and answers.

If it does not, then lookup the problematic event in the FWSTrace.log and smtracedefault.log