Finally, we see the flags in use, for wssecuritycredential-based credentials offered by ExchangeManaged API.
Looking at the trace, we see a message level signature (over the headers). That is we have proof service based on assertion of the “cert” tokentype (rather than the SAML token type).
So how – for Exchange online – does the cert thing work? What are the extensions? Are they supposed to be the claims that would have come via SAML tokens? Or, is there a fixed cert bound to the (exchange) user account, somehow?