When running a Policy Server, when does it produce the SM_USER value ?

- What are all scenarios to get the SM_USER header value ?
- Does the http header SM_USER being set in Authentication failure scenarios or only success use cases ?
- Does SM_USER get set for the SM Authreason values 20, 22 and 24 ? 

Component: CA siteminder (SMPLC)
Version: ALL Supported Versions

The SM_USER will be produced on all requests as soon as the user name is known by the Policy Server as per documentation (1).

About SM Authreason values 20, 22 and 24, which represent

  ImmedPWChangeRequired = 20
  BadPWChange = 22
  ExcessiveFailedLoginAttempts = 24

The Password Services page will use another variable.

SM_USER header being sent to the target page, this header won't be available for the Password Services page.

Instead, the out of the box Password Services page uses the variable "username" :

smpwservices.fcc :

    @username=%username%

(1)

The following list contains user attributes that SiteMinder generates automatically. These attributes can be specified as response attributes for Web Agent responses and are available to named expressions.

- %SM_USER:

The web agent places the username in an SM_USER http header variable for all requests. The web agent does not set the value of the SM_USER header variable when one fo the following items are true:

- A user does not provide a user name, such as with certificate–based authentication.
- A user name is not known.

Generated User Attributes