We have a requirement to translate an incoming SAML assertion (SiteMinder is acting as SP) which includes the custom attributes to translate into a JSON  to send to the backend application.

Does SiteMinder have the functionality to support this requirement?

Release : 12.8.x

Multiple options discussed as follows:

**** Option 1 -->  Using the API gateway . This would be an out of the box solution with no customization 

Requirement:
- AG or WAOP 
- Policy server 
- API Gateway 

Flow:
1) Siteminder SP service consumes the assertion and generates SMSESSION cookie and store assertion attributes as session variables in the session store
2) Request redirected to Application (must be same cookie domain as the Federation Web services ) where application will read the cookie header and fetch SMSESSION cookie and call API Gateway 
3) API Gateway receives request from application along with the cookie , decode it and perform a Request to a virtual protected resource by policy Server where session gets validated followed by AZ request where a response is tied to the policy  
  set to return the session variables as headers 
4) API received response with all the header variables from policy server AZ response and generate a JWT token that can be signed (optional) and sent back to application 
5) Application will need to have the ability to decode and verify the signature of the Token and process the token data which will include all the assertion attributes.

**** Option 2 -->  Using the OIDC code flow . Custom claim customization will be needed 

Requirement:
- AG  
- Policy server 
- Custom OIDC claim to return session variables 
- application will need to support OIDC flow 

Flow:
1) Siteminder SP service consumes the assertion and generates SMSESSION cookie and store assertion attributes as session variables in the session store
2) Request redirected to Application which triggers and OIDC code flow to Siteminder as the provider 
3) Siteminder validates the SMSESSION and use it to generate the OIDC tokens with the user info considering that a custom claim will be written to fetch the session variables from session store and return it as claims in the Token 

**** Option 3 --> Use custom JAVA active response to generate the JWT token 

Requirement:
- WAOP or AG 
- Policy server 
- custom Java active response to generate JWT token 

Flow:
1) Siteminder SP service consumes the assertion and generates SMSESSION cookie and store assertion attributes as session variables in the session store and send request to backend app
2) The backend app need to call a protected resource tied to an Active JAVA response (Custom code) which will read the session variables and generate a JWT token) 
3) Application will need to have the ability to decode and verify the signature of the Token and process the token data which will include all the assertion attributes.

**** Option 4 --> Use the AG AZ Web service to return JSON response with the needed headers  (no custom code needed) 

Requirement:
- AG 
- Policy server 

Flow:
1) Siteminder SP service consumes the assertion and generates SMSESSION cookie and store assertion attributes as session variables in the session store and send request to backend app
2) The backend app will call the AZ web Service on the AG and pass the session Token (SMSESSION) where the response will be returned by the Az web service in JSON Example:

 { "authorizationResponses": {"response": [ {"name": "SM_USER","value": "uid=user1,ou=People,o=security.com"} ]}, "message": "Authorization successful", "resultCode": "AUTHORIZED", "sessionToken": "session"} 

Reference --> https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/access-gateway-configuration/configuring-the-authentication-and-authorization-web-services.html