When running a Policy Server, when does it produce the SM_USER value ?

  - What are all scenarios to get the SM_USER header value ?
  - Does the http header SM_USER being set in Authentication failure
    scenarios or only success use cases ?
  - Does SM_USER get set for the SM Authreason values 20, 22 and
    24 ?

The SM_USER will be produced on all requests as soon as the user name
is known by the Policy Server as per documentation (1).

About SM Authreason values 20, 22 and 24, which represent

  ImmedPWChangeRequired = 20
  BadPWChange = 22
  ExcessiveFailedLoginAttempts = 24

the Password Services page will use another variable. SM_USER header
being sent to the target page, this header won't be available for the
Password Services page. Instead, the out of the box Password Services
page uses the variable "username" :

  smpwservices.fcc :

    @username=%username%

(1)

     Generated User Attributes

      The following list contains user attributes that Siteminder
      generates automatically. These attributes can be specified as
      response attributes for Web Agent responses and are available to
      named expressions.

     %SM_USER

      The web agent places the username in an SM_USER http header variable
      for all requests. The web agent does not set the value of the
      SM_USER header variable when one of the following items are true:

       - A user does not provide a user name, such as with
         certificate–based authentication.
       - A user name is not known.

     https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/responses-and-response-groups/generated-user-attributes.html