Running SiteMinder Federation Services as IdP:

1. Is it correct that the Service Provider side (SP) must provide metadata including all the ACS URLs it intends to use, each with its respective index and one marked as default?
2. Where and how is the selection of the ACS URL configured in SiteMinder?
3. Is there any configuration or recommendation in SiteMinder to dynamically handle ACS selection or failover among multiple ACS URLs?

1. Yes, it's correct. The IdP side must know all the ACS URLs; it is allowed to return the response to the SP to the right assertion by the consumer party.
   
   This enables security for the assertion exchange, assuring the assertion is sent to the right URL.
   A default one and an index for each of the ACS URLs are needed.
   The index makes it possible for the SP side to include shortly an ACS in the AuthnRequest.
   The default one ensures the Authnrequest without ACS index will be redirected to the right URL for assertion consumption.
   
   
2. As SiteMinder runs as IdP, get the metadata exported file from the SP partner, and import it in the AdminUI.
   
   This metadata should have all the ACS URLs, the indexes, and a default one (1).
   In the Partnership, configure it manually under:
   Modify Partnership / SSO and SLO /
   

   Remote Assertion Consumer Service URLs

    
3. There's no dynamic or failover feature to handle the ACS.
   
   The default one will be used in case no index is provided in the Authnrequest.
   This is by protocol definition.
   When there's no metadata available:
   
   - Ask the SP side for all the details of the SP Entity, including the EntityID, the ACS, etc.
   - Once having the details, then configure a SAML Remote SP entity in the AdminUI.

1. Assertion Consumer Service URL Metadata