We have SAML integration between ServiceNow and SiteMinder using Secure proxy servers.
We have a use case where regular users and admin users both access the same resource (ServiceNow) however after initial form-based authentication admin users are required to perform RSA 2 factor authentication (Step-up authentication). Our basic requirement was to have admin users only perform the RSA 2 factor authentication, however there is no way to pre-determine a user type without having to authenticate them first and query the LDAP attribute. So we had to adopt this approach.
These users are identified by an LDAP attribute. So they can only be identified by SiteMinder after initial form-based authentication
This is how we have implemented this requirement:
Upon initial form based authentication, if user is an admin user, they are redirected to another protected resource that uses RSA SecurID 2 factor authentication scheme.
How do we transfer the User ID to the second login page without having the user re-enter their User ID?
How do we preserve and / or transfer the original deep-linked ServiceNow URL so as to redirect to it upon a successful second authentication?