Broadcom SiteMinder Tips — IAM

SiteMinder (Broadcom) configuration tips

Federation Partnerships

Use Federation Manager to create a Partnership (SP or IdP role).
Import partner metadata; verify EntityID, ACS/SSO URLs, and certificates.
Map User Directory attributes to assertion attributes (mail, givenName, memberOf).
Enable Signature Validation; enforce AudienceRestriction and Conditions.

Web Agent / ACO notes

EnableTracing=yes during setup; disable later.
DefaultAgentName set per virtual host; ensure time sync across policy server and agents.
Protect callback paths with Anonymous access when required for IdP-initiated SSO.

Common SAML settings

NameID: email or persistent.
Bindings: Redirect for requests, POST for responses.
Clock skew: allow 2–5 minutes.

Templates: IdP metadata · SP metadata

Troubleshooting checklist

Match ACS URL and EntityID on both sides.
Validate cert chains and key usage (digitalSignature for signing).
Decode and inspect SAMLResponse on the ACS (capture before redirects).
Compare server clocks; check NotBefore/NotOnOrAfter windows.