Fixed our issue by not using CA product to integrate it. Never could get it working to SiteMinder OOB and CA just wants folks to buy their custom agent.
We used ADFS and setup SiteMinder as a Claims Provider Trust. So Sharepoint -- WS-Fed --> ADFS -- SAML 2.0 --> SiteMinder.
This way we could continue using our normal custom log in forms and the authentication services that rely on SiteMinder. But get the benefit from the app viewpoint of it just being a standard ADFS WS-Fed integration.
No point spending tons of $$$ on the SharePoint agent when ADFS is basically free in terms of license . And it can do a lot of stuff that SiteMinder can't - like has a WS-Trust endpoint for exchanging cert auth for a signed JWT, better claims manipulation, etc.
It's been a pretty useful tool to add into our overall collection of capabilities. Especially when working with other Microsoft products. With the two products we've been able to cover much more than either one by itself could do.
---
Some considerations with that setup:
- By default, you'll get the IDP Discovery page of ADFS. If you want to avoid this so a user is just immediately sent to your SiteMinder IDP run a PowerShell command like this:
Set-AdfsRelyingPartyTrust -TargetName "MyRelyingParty" -ClaimsProviderName @("SiteMinderIDP")
- ADFS supports wildcard for return URL. For all the dynamically generated sites you'll want to leverage this. So trusted URL on relying party would have something like "https://*.mysharepoint.domain.com".
This way it will accept any of the site generate URLs within that domain.
- User-friendly two-factor enforcement can be tricky. Just be sure to test it in your environment and adjust accordingly. E.g., I authorize in ADFS on "authlevel" returned from SiteMinder. If this fails, default I just get an ugly error at ADFS with no useful information.
- One other thing if you consider using the Web Application Proxy (WAP), I believe it can support front-ending SharePoint without requiring it going WS-Fed. I've not done it but talked with others who have similar setup. WAP is a reverse proxy solution that goes with ADFS and can front-end "non-claims aware" applications. My understanding is that can front-end SharePoint, you authenticate to WAP which goes and does Kerberos to back-end...so SharePoint itself doesn't have to switch to be WS-Fed/SAML.
Again, haven't personally set this up. But might be worth investigating if you consider ADFS route.