i would like to know whether SiteMinder queries AD for each user authentication/authorization or the users are are loaded into SiteMinder and there is some synchronization between SM and AD?
Policy server doesn't have authentication cache. So yes, it queries the user directory (AD in your case) for every authentication requests (for each user).
It however has "User Authorization/Az" Cache :
The User Authorization cache remembers unique PolicyAuthorization results by User Directory OID and user DN + filter path + filterclass + resolution. It is not unique to sessions. The entries in the Authorization cache are determined by (number of users) * (number of policies for which user could be authorized). Entries live for the length of time specified by the Cache EntryLifetime setting. User Authorizations that are cached may not match the entries in the Policy Store for up to the length of time that the Authorization cache is alive. In addition, a change in the user directory which authorization is keyed off of will not be picked up for this length of time.
Similarly, on the Web Agent side it has :
User Session Cache:
The User Session cache caches Authentications and Authorizations. Authentication is based upon session ID and Realm OID and is dependent upon the number of Realms to which a user has access (e.g. 10 users accessing 100 Realms will fill a cacheof size 1000). Authorization is based upon session ID and resource (Full URI, Method, and Agent name). Response information is cached by each process and stored with a timestamp denoting its validity. The maximum session time is also stored for cleanup of entries. Logout does notflush the cache.
Following documentation explains different cache that SiteMinder has :
Hope this helps.
How policy server maintains Authorization cache ?
Say, I have created policy by protecting the resource /abc and rules are defined on *
User access the resources:
Will policy server maintain only 1 entry in its authorization cache for /abc/, /abc/a.html and /abc/b.html or will it create 3 separate entries for it?