This tip relates to an integrated Identity Manager with Site Minder protected by web agent on the IIS 7.x and where Identity Manager is on Web Logic.
In this situation Site Minder protection is handled via the web agent on the IIS 7.x. The web agent ISAPI filter needs to be first in execution order to guarantee the full Site Minder protection/authentication and authorization. Afterwards, the weblogic plugin will execute next. This plugin will route the requests to Identity Manager to the web logic server where they will be handled.
The documentation is not explicitly indicative of the fact that the web logic plugin needs to be ordered after the site minder agent in two places:
1. The ISAPI filter order (which is documented and explained above). But also,
2. The file handler mapping order. The web logic plugin (which is a DLL that's pluged into the IIS) needs to be mapped to handle certain page requests. According to the documentation it is mapped to handle the *.jsp page requests. This means that it will intercept requests to jsp pages and try to route them to the web logic server for handling. However, we need to remember that the IIS might host additional pages and/or applications and not only Identity Manager. These also might have *.jsp pages. Therefore, if the web logic plugin will intercept any JSP page request then these applications will not be given the chance to process their pages and further , web logic server will not find these pages. Therefore, you need to make sure that if Identity Manager is not the only application that includes JSP pages (in other words if your IIS has additonal jsp pages for any other purpose) then the web logic plugin needs to be mapped in the correct order of file mapping handling as well.