Below describe one way to implement MFA with Siteminder.

Release : 12.8.03

NOTE --> Please note that the JSP files are written by Broadcom Solutiont team and are not supported officially by Broadcom Siteminder Support 

############ Steps to implement ##############

- attached 2 JSP files to be used as sample based on the below implementation: 

*** prerequisite 

* you can use any existing auth Scheme you have which can be also custom auth Scheme ( we will call it Auth_scheme_2nd_step_login) . You will need to change the AuthLevel and set it to 10.
* create an "HTML form template" Auth scheme with AuthLevel set to 5  (will call it Auth_scheme_1st_step_login in this example )  . This Auth Scheme will be used as first factor , this will be used as a 1st step authentication factor
* create an "HTML form template" Auth scheme with AuthLevel set to 10 (will call it Auth_scheme_MFA in this example ). Fill in the Web server name and port used and set the Target to --> /login/auth_redirect.jsp (attached jsp file) . This auth Scheme will be used to protect your Application Resource 
* on your webserver end , create a Directory with the name /mfa 
* copy the redirect.jsp (also attached)  file under the /mfa directory 
* change your application Realm and set the Auth scheme to --> "Auth_scheme_MFA" (AuthLevel 10) 
* create a realm to protect /mfa* and set the Auth scheme  to --> "Auth_scheme_1st_step_login" (AuthLevel 5)
* create a realm to protect /mfa/redirect.jsp* and set the Auth scheme  to --> "Auth_scheme_2nd_step_login"  (AuthLevel 10)

*** Flow of transaction 

* user access the Application protected resource 
* Siteminder redirect the user to /login/auth_redirect.jsp where the Initial Target is preserved and a redirect to /mfa/redirect.jsp is triggered 
* Browser follows redirect to /mfa/redirect.jsp where the /mfa* realm will trigger and user us presented by the "Auth_scheme_1st_step_login" auth Scheme logon
* After successful login , SMSESSION with AuthLevel 5 is generated and user is sent to /mfa/redirect.jsp
* as SMSESSION exists , user clears the first Realm and hit the second Realm where the session is determined to have a lower auth Level from what is needed and user is challenged by 2nd auth Scheme (Auth_scheme_2nd_step_login)
* user process Auth through "Auth_scheme_2nd_step_login" and a new SMSESSION is generated with AuthLevel 10
* Browser performs a GET on the /mfa/redirect.jsp* and this time since an SMSESSION with AuthLevel 10 exists , the user is Az to the resource .
* The redirect.jsp read the preserved Initial Target from session and sends the user to it (initial target is the application Resource) 
* user attempts to access the application Resource this time with smsession with the needed AuthLevel 10 and is allowed access to app