Wondering if anyone has run into this scenario. We are setting up a Saml 2 federated partnership. The IDP is not CA Siteminder but is a SAML compliant partner. Our SP side is a CA siteminder implementation with the Web Agent Option Pack set up for the federated servlets.
My question is about protecting the resources at the Service provider side. We allow both IDP and SP initiated requests in the partnership. I have tried creating a HTML forms authentication scheme and protected the service provider resource with this auth scheme. On the auth scheme I am setting the parameter so that it invokes the SP initiated transaction with the AuthN request. Now I have this working fine in my lab with a simple IDP entity ID that doesn't require URL encoding.
The problem is at the customer site when the entity ID is a resource like http://idp.test.com/servlet/blah this requires the URI encoding. The request works fine when you directly initiate the full SP UrL with the ProviderID=EncodedversionofEntityId
What I see though when setting this up as the html forms target is that it does its own encoding of the URI and the policy server is ever able to locate the IDP ID because it is not decoding the encoded portion of the URI.
Has anyone run into this scenario? Another maybe dumb question is, Can the SAML 2 Auth scheme template be used in a Partnership Mode or is it only valid for Legacy Federation?
What is the best practice for protecting against users directly accessing a resource that is set up in a partnership fed model? My plan is to protect them with our specially crafted forms auth scheme which works fine with nonencoded provider Id but not encoded.