How to protect a resource with Siteminder that will result in a SAMLRequest to a third-party IDP when an unauthenticated user requests the protected resource.

To protect the application resource by an authscheme that results in SP initiated SAML request, you can use try the following 

** 1) create a custom page which redirects the Request to the Federation Web service 

Below is a sample jsp page which will redirect to the authnrequest federation Web service.

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
    <title>Redirect Page</title>
    <meta http-equiv="refresh" content="5; URL='https://fedapp.example.com/affwebservices/public/saml2authnrequest?ProviderID=IDPID&RelayState=https%3A%2F%2Ffedapp.example.com%2Fdump_headers.jsp'" />
</head>
    <%
        response.sendRedirect("https://fedapp.example.com/affwebservices/public/saml2authnrequest?ProviderID=IDPID&RelayState=https%3A%2F%2Ffedapp.example.com%2Fdump_headers.jsp");
    %>
</body>
</html>

In this Example, the custom page was hosted on the Access Gateway under /affwebservices/application/redirect.jsp
 

** 2) create an html form Auth scheme  which has the value of /affwebservices/application/redirect.jsp  which is the custom page highlighted in step 1 

** 3) protected the application TARGET URL (defined in the partnership) with the above auth Scheme created in step 2 

Target application in this example partnership is --> https://fedapp.example.com/affwebservices/testapp/dump_headers.jsp

** 4) accessed the Application Directly --> https://fedapp.example.com/affwebservices/testapp/dump_headers.jsp

you will get Redirected to the custom page as defined in the Auth scheme protecting the resource -->             http://fedapp.example.com/affwebservices/application/redirect.jsp?TYPE=33554433&REALMOID=06-000xxxxxxxx3-a734-9edd0afc0000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-bnpiTpKz4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNpQj&TARGET=-SM-https%3a%2f%2ffedapp%2eexample.com%2ecom%2faffwebservices%2ftestapp%2fdump_headers%2ejsp HTTP/1.1

The custom page automatically will redirect to the authrequest web service URL (as defined in the custom page body) --> Location: https://fedapp.example.com/affwebservices/public/saml2authnrequest?ProviderID=IDPID&RelayState=https%3A%2F%2Ffedapp.example.com%2Faffwebservices%2Ftestapp%2Fdump_headers.jsp

** 5) Browser proceed with the request normally and SAMLRequest will be sent to IDP and the flow continues as expected and an SMSESSION cookie will be generated at the SP once assertion is consumed and redirect to the TARGET defined in the 
SP Partnership -->  https://fedapp.example.com/affwebservices/testapp/dump_headers.jsp

This time since SMSESSION exists for example.com , the user will be able to access the TARGET resource as expected