We have SM and IDM integrated.  We have discovered that on ANY change to the IDM configuration (i.e., importing Directory.xml to extend the schema), this somehow overwrites SiteMinder's LDAP User DN Lookup  directory configuration, totally breaking authentication and authorization for every integrated application until the settings can be manually reset.

How can it be that a change to an external system overwrites SiteMinder settings?  This is extremely disruptive.

Release : 12.8

Component : SITEMINDER -POLICY SERVER

When an IDM Environment is imported into SiteMinder, an IDM User Directory Definition is created for use with the IDM Environment with a "Description:" of "DO NOT REMOVE - For use by Identity Manager".

This User Directory Definition should ONLY be used for the IDM integration, this User Directory Definition created by the IDM Import process should not be used in your SiteMinder Domains for your SiteMinder Policies.

If the IDM Environment is modified with regards to the User Directory configuration, and SiteMinder is updated with this IDM Environment change, it will affect all SiteMinder Domains and Policies that were bound to this IDM Directory Definition.

You would need to create a separate User Directory Definition for use with the SiteMinder Policies, and update the Domains and Policies to use this new Directory Definition. You could create a new User Directory Definition in SiteMinder for your User Policies, and then use the REST API's to script the updates to the Policy Store to switch to the new User Directory for your Domains and Policies.

Please refer to the "REST API Reference Documentation", section of the documentation at the following link;

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/policy-object-rest-apis/rest-api-reference-documentation.html