Redirecting unauthenticated users from Siteminder protected resource to third-party IDP
search cancel

Redirecting unauthenticated users from Siteminder protected resource to third-party IDP

book

Article ID: 276002

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

How to protect a resource with Siteminder that will result in a SAMLRequest to a third-party IDP when an unauthenticated user requests the protected resource

Environment

All Siteminder releases

Resolution

You can achieve this use case out of the box by using the HTML Forms auth scheme.

Protect the resource with HTML Forms authentication, and make Siteminder's saml2authnrequest URL the Target of the auth scheme.  This would look something like:
https://federation.example.com/affwebservices/public/saml2authnrequest?ProviderID=<IDPID>

If a RelayState value needs to be included, add it as a query parameter:
https://federation.example.com/affwebservices/public/saml2authnrequest?ProviderID=<IDPID>&RelayState=<RelayState value>

When unauthenticated users request a resource protected with this auth scheme, a SAMLRequest parameter will be generated and sent to the IDP.

Do note that the Siteminder agent will add additional query parameters when redirecting to the saml2authnrequest URL, but these extra parameters will be ignored.  To set the RelayState value to the protected page that the user originally requested, instead of making the saml2authnrequest URL the target of the HTML Forms auth scheme, make an active page the target of the auth scheme.  The active page should be coded to read the Target parameter from the URL request and convert this to a RelayState parameter when redirecting the user to the saml2authnrequest URL.  

Additional Information

This same approach can be used to create an IDP-initiated SAML authentication by making the Target of the HTML Forms auth scheme look like this:
https://federation.example.com/affwebservices/public/saml2sso?SPID=<SPID>