Configured my AAD app to allow the testing app to invoke the “openid connect” flow:
The relevant trace of the client embedded in a webapp is
The invoking webapp has the following (logically server-side) configuration
which induces a token to be posted to the ACS of the webapp:
Note that this “really is” websso – in the absence of any auth code, etc.