During a Federation transaction, what makes Siteminder decide if we are in a SP or IDP initiated transaction ? What is used to redirect to the original protected target at the SP ?
If you have the InResponseTo attribute in your response, Siteminder will decide if you are in a SP or IDP initated transaction. InResponseTo value means the SAMLRequest from SP had that value and IDP is sending a response to that request.
[SAMLResponse: <Response Destination="http://_sp.example.com/affwebservices/public/saml2assertionconsumer" ID="_7b62a9c67881d75371d48d0480dee8f69008" InResponseTo="_b72caeb3612016665f851a5738e5062e491b" IssueInstant="2016-01-21T08:27:33Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">IDP_FH</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<ns2:Assertion ID="_349222fa33e3482bad2845d08c5a6c3fb5a6" IssueInstant="2016-01-21T08:27:33Z" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IDP_FH</ns2:Issuer>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Robm</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns2:SubjectConfirmationData InResponseTo="_b72caeb3612016665f851a5738e5062e491b" NotOnOrAfter="2016-01-21T08:29:02Z" Recipient="http://_sp.example.com/affwebservices/public/saml2assertionconsumer"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2016-01-21T08:27:02Z" NotOnOrAfter="2016-01-21T08:29:02Z">
<ns2:AudienceRestriction>
<ns2:Audience>SP_FH</ns2:Audience>
</ns2:AudienceRestriction>
<ns2:AudienceRestriction>
<ns2:Audience>audience</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2016-01-21T08:27:31Z" SessionIndex="+G2 .. 9Q==" SessionNotOnOrAfter="2016-01-21T08:29:02Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
</ns2:Assertion>
</Response>]
--------------------
[SAMLResponse: <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://_host.example.com/FWS/affwebservices/public/saml2assertionconsumer" ID="_81631e887197a8de1d68efee38ff1993d990" IssueInstant="2016-01-08T12:26:00Z" Version="2.0">
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IDP_FH</ns1:Issuer>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_9819170bc4a45b3f979838ed999dcec61288" IssueInstant="2016-01-08T12:26:00Z" Version="2.0">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IDP_FH</ns2:Issuer>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Robm</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns2:SubjectConfirmationData NotOnOrAfter="2016-01-08T12:31:00Z" Recipient="https://_host.example.com/FWS/affwebservices/public/saml2assertionconsumer"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2016-01-08T12:26:00Z" NotOnOrAfter="2016-01-08T12:31:00Z">
<ns2:AudienceRestriction>
<ns2:Audience>SP_FH</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2016-01-08T12:26:00Z" SessionIndex="sJ .. 2Q==" SessionNotOnOrAfter="2016-01-08T12:31:00Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
</ns2:Assertion>
</Response>]