How to implement SAML SSO

The way this works is that, after authenticating the user, the SAML identity provider (IdP) renders a form to the browser containing the SAML response - the form's 'action' (i.e. target) is the service provider (SP). In the HTML, there is a JavaScript onLoad event that submits the form, so the net effect is that the user is automatically taken from the IdP to the SP, SAML response in hand.

The only time a user would have to click anything to submit the form is if they have JavaScript disabled. In this case, SAML implementations typically provide a message with a button to press in the <noscript> tag.

For more detail see this article I wrote a few years ago - but note, 'Lightbulb' is long obsolete now - for PHP SAML see simpleSAMLphp.

It's a shame your client wants to use CA SiteMinder - the open source OpenAM (formerly known as OpenSSO) does this pretty easily.

This article explains is very well. There are examples for different platforms too.