Since our OFfice365 AAD tenant is also the directory bound to our Azure subscription, we were able to use the Active Directory “applications” configuration features, that set up such as OAUTH client secrets and the like.
We see the discover phase:
recalling that this app is intended to work with others on the device (as shown by the display of charms etc).
Device screen photos – rather than screenshots – now follow:
We see the IDP discover page, from Azure AD, Microsoft Online, and friends, above
We see, above, our webSSO IDP’s (first) user challenge screen
Finally, we see that the IDP’s HTML is good enough to adjust its layout (dynamically), as one re-orientates the device into portrait mode.
That’s usable, Microsoft. I forgive you for cardspace, now!
Anyways, once one sets up a few rights on the IDP… it release the saml assertion back to microsoft online. The resulting screen, is
which finally gets us to a authenticated session at the app:
A quick look at the wire shows the oauth + websso interaction that, via microsoft online proxying of IDPs, talks to the tenant (BARS/8) of our realty IDP associated with a particular “authenticated domain”. This had to be configured, thus:
The wire shows the final token:
where the JWT, whose middle element I decode from base64 using fiddler. is
one can even decode from base64 the inner “credentials” field of the JWT – whatever they are! With any luck, they allow multi-app logon/logoff, much as LiveIDs do.