Azure AD gatewaying Windows 8 app OAUTH to US Realty IDPs, via (ws-fedp) websso

We build out our first windows 8.1 app, based on the sample code from “nick”. A windows 8.1 app loads and its OnNavigating event handler induces it to load a login routine. Bound to a (server-side javascript) backend API for mobile data, the app is able to perform an OAUTH2 handshake against the oauth endpoints of our (office365-related)  AzureAD tenant.

Since our OFfice365 AAD tenant is also the directory bound to our Azure subscription, we were able to use the Active Directory “applications” configuration features, that set up such as OAUTH client secrets and the like.

We see the discover phase:

Screenshot (113)

recalling that this app is intended to work with others on the device (as shown by the display of charms etc).

Device screen photos – rather than screenshots – now follow:


We see the IDP discover page, from Azure AD, Microsoft Online, and friends, above


We see, above, our webSSO IDP’s (first) user  challenge screen


Finally, we see that the IDP’s HTML is good enough to adjust its layout (dynamically), as one re-orientates the device into portrait mode.

That’s usable, Microsoft. I forgive you for cardspace, now!

Anyways, once one sets up a few rights on the IDP… it release the saml assertion back to microsoft online. The resulting screen, is



which finally gets us to a authenticated session at the app:



A quick look at the wire shows the oauth + websso interaction that, via microsoft online proxying of IDPs, talks to the tenant (BARS/8) of our realty IDP associated with a particular “authenticated domain”. This had to be configured, thus:




The wire shows the final token:


where the JWT, whose middle element I decode from base64 using fiddler. is


one can even  decode from base64 the inner “credentials” field of the JWT – whatever they are! With any luck, they allow multi-app logon/logoff, much as LiveIDs do.


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in Azure AD. Bookmark the permalink.