Testing Siteminder protected applications with JMeter is not so complex. You need to use HTTP Tracer to check redirects which are done during the authentication process and then mimic some of them in JMeter.
I'm a little bit confused why the login page in your setup is protected by Siteminder, it should be unprotected to allow unauthenticated user to access it.
The description below applies to the general case where Siteminder protected application needs to be tested using JMeter.
Normally the authentication flow in Siteminder protected applications is following:
- A request is sent to a page protected by Siteminder
- Siteminder redirects request to a login page
- User enters his username/password on the login page
- A POST with username/password an some other parameters is done on Siteminder '.fcc' resource
- Siteminder creates a session (adds/updates SMTOKEN cookie) and performs redirect to the page accessed in the step 1 above
I've found a simplified scenario which can be implemented in JMeter to perform authentication:
- step 1 above: Access protected page (Siteminder sends a redirect to the login page)
- step 4 above: POST usernaname/password and other params used on your environment directly on Siteminder '.fcc' resource
- step 1 above: Access protected page again (Siteminder session is available and the request will get through)
That's it. POST request with username/password can be parameterised to perform tests using pool of test users.
So, following needs to be done in JMeter project:
- A HTTP Cookie Manager needs to be added to the project to ensure that Siteminder token is stored and sent with each request
- Three HTTP Request needs to be added in the Threadgroup to implement simplified scenario above. "Follow Redirects" option must be ON.
The screenshot below shows JMeter request configuration to perform POST with username/password parameters to the '.fcc' resource.
The authentication flow can wary in your set up, just use a HTTP Tracer to find the right requests sequence to be performed in JMeter.