I don't use or have Siteminder, but have to support a customer of our product who wants to use it and therefore want to ask around here how Sitemidner works with IIS.
I have a Linux system that is not to be changed. It can forward the user towards an IIS-page. The URL contains a nounce. That IIS-page then uses e.g. Kerberos based authentication with single sign on. It is very simple and just learns the name of the user (asp.net provides that) and then creates a ticket containing nonce and username and redirects back towards the closed Linux system that is not to be changed.
This works fine using Kerberos or NTLM and Windows integrated authentication.
How would this work with Siteminder? Would they also provide the username of the currently logged in user towards an asp.net application? Would they support redirects?
I'd like them to just have written an ISAPI extension or so that parses their cookies and then lets my simple asp.net page run.
Best Answer
The SiteMinder IIS agent is an ISAPI filter/extension. It sits in the web server and passes through requests to the underlying page which no changes required on the page as long as you can look to a header for the authenticated user ID. The agent handles all the redirects for authentication and will preserve the originally requested location so that after authentication the user is sent on to the correct page.
SiteMinder supports a concept called responses. With a response you can set any HTTP header you want. As described above, SM_USER is set by default, but you can also set REMOTE_USER or any other header you would like. Since SiteMinder supports a significant number of authentication schemes, you could continue to use Windows Integrated Authentication with the IIS server.
If you want to get into more details, I'm @tclayton on Twitter.