RP sites cooperating with Azure AD (the “new ACS”)


completing a web form project, using an organizational id (proxied to our STS, by Office’s Azure AD IDP_proxying element of service)

Note the “common” IDP endpoint. Note the realm name (tuned to our verified domain). Note some clientid/pwd, for OAUTH refresh token handling, presumably.

note that having “assigned” our app to a “management point”, the web form shows the users view. And note, how unlike traditional SSO, there is a signup for organizations – wanting to one of the n IDPs supporting the associated user base’s access to this “managed application”.


We can guess that this “management point” Azure AD, and its graph entities in particular, is that which is guarding WHICH IDPs (also with Azure AD/Office) can signup.


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in SSO. Bookmark the permalink.