Ron RonChavez
Am kind of lost now (After the Federation process completes I need to send the client back to the SiteMinder application and support deep linking), who is the IdP and who is SP ? My apologies, trying to visually what is being done here.
Is the siteminder application which is starting the connection AND the siteminder application to which you need to send the client back to within the same CA SSO ENV ? OR are they two different CA SSO ENV ?
I feel we need to step back, this needs a design review and thought process check. Seems like there is some gap in understanding the product functions VS what we want to achieve VS how we achieve it.
A login.fcc needs 3 values to process the request
- Username.
- Password.
- Target (MUST be protected resource).
I would create a JSP page (not use redirect.jsp) OR use the sample 'unsolicited.jsp' page. Protect that JSP page.
I'd POST to login.fcc
Within protected.jsp include,
Option-A ( * PoC needed)
the logic to POST to https://server.foo.com/affwebservices/public/saml2sso; with the following POST data
SPID=myapp
ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
RelayState=XXXXXXXXXXXXXXXXXXX
OR
Option-B ( * PoC needed)
(what Joe suggested) the logic that can Fetch the TARGET header from URL and issue a Redirect to IDP hardcoded link with the Relay State build from the TARGET header. https://server.foo.com/affwebservices/public/saml2sso?SPID=your_SPID&RelayState=encodedURL
How we capture the TARGET and translate that into RELAYSTATE is all custom code logic. But again my honest thought is we need to review this in detail. We can provide tips and insights over a communities thread; but designing a E2E solution, is not a viable option via a communities thread.
Regards
Hubert