Hello Venga
- SPS : Secure Proxy Server or CA Access Gateway.
- SPAgent : SharePointAgent.
- TIP : Trusted Identity Provider, configured in SharePoint.
I think you are mixing too many points buddy. Ideally I would prefer to keep each question nuclear /or on a separate thread.
Let me try and break the statements then answer each one of them. It would have been good to have a working SPAgent, Unfortunately I don't have any with me at the moment. So let me take a shot with what I remember.
Can we implement IDP and SP initiated flows using SharePoint Agent-12.52?
HUBERT] If I read this statement it makes me feel you are asking a generic question i.e. whether one could implement federated solution using SPAgent. Technically, Yes. SPAgent is nothing but CA Access Gateway (a.k.a SPS) + Customizations for SharePoint SSO. Now in SPS (and in SPAgent) we do ship "affwebservices". If we leave SharePoint out of the equation for a moment, Yes, we can use "affwebservices" shipped with SPS & SPAgent to perform the federation functions which a WAOP does. SPAgent is customized to a very large extent to suite Sharepoint SSO. Therefore, NOTE : SPConnectionWizard is tailored to suite only the SharePoint SSO Solution. One should not use SPConnectionWizard to configure generic SAML/WSFED Federated SSO. More so, SPConnectionWizard only works with Legacy Federation Model and not with Partnership Model.
I don't see any Trusted Consumer Service URL in Legacy Federation Setup (Automatically Created by SP Connection Wizard).
HUBERT] Could you reconfirm for me the correct words please as per SharePoint? Is it Trusted Consumer Service URL? Since it is being stated as "Trusted Consumer Service URL", am inferring it to be on SM Side (As opposed to "Trusted Identity Provider URL or SignInURL" in which case I would have known it is on SharePoint). Are you referring to "Security Token Consumer Service" URL in Legacy Model Resource Partner Affiliate Domain? I just need to get the facts correct before I place my comment, because I don't remember seeing any word in SharePoint SSO as "Trusted Consumer Service URL".
What would be the Trusted Consumer Service URL in SharePoint-2010?
HUBERT] Am still assuming you are referring to "Security Token Consumer Service URL" and what would that URL be on SharePoint Side? There are a couple of URLs on SharePoint which gets invoked on a Claim Based SSO Journey i.e.
/_Trust
/_login
It is one of this URL which consumes the WSFED Token send by SPAgent and generate a FEDAUTH Cookie. All this redirection happens automatically within SharePoint when using a TIP, hence we never had to specify anything on SiteMinder Side. If you see the sequencing of URI's using a HTTP Sniffer tool, you'd know the answer.
What would be the Trusted Consumer Service URL in SharePoint-2010? If yes, Can we update this URL Manually?
HUBERT] I would prefer to not update this manually and let SharePoint take care of figuring out the return URL on its side. Unless there is key reasons why one would want to force to return to a single URL, when SharePoint has humongous number of URI / Site patterns. When user is randomly browsing pages on a SharePoint WebPortal, and if FEDAUTH Cookie (SharePoint Cookie) expires, Sharepoint issues a redirect to SignInURL configured on TIP. When Sharepoint builds the redirect URL to TIP (i.e. SM / SPAgent), it automatically embeds a return URL. This allows SharePoint to decide, when the request returns from SM / SPAgent; what is the end URL on SharePoint Side. Hence on SPAgent / SM Side we do not have to manually hard code a RelayState OR Security Token Consumer URL. Since I do not have a SharePoint Setup, I cannot confirm the exact query parameter, however if you happen to see the redirect from SharePoint to SPAgent on SignIn - you'd see a lot of query parameters e.g. WCTX etc. One of that has the returnURL value.
Do we have something similar to RelayState here?? to redirect users to a required destination.
HUBERT] I personally have not seen this in my exposure with SharePoint. However if anything like that exists, I'd assume it is beyond SiteMinder / SPAgent remit. SharePoint would build the returnURL and send it to SPAgent. So as along as SPAgent send the request back without tampering the values set by SharePoint, Sharepoint would understand the values it set and take you to desired page.
Regards
Hubert