The demo IOS application using the Microsoft Open Source IOS ADAL library does the following – when talking to an IDP behind the microsoftonline FP:
We see the FP stack its request and request upstream to our IDP – where we see the response-address (for the now the stacked request) stored deep within the wctx stack. Note that the IDP has “to know” the response address to its own request, to be inferred from the wtrealm value.
Above, we see an assertion being delivered to the FP, issued by the IDP in the name of UPNemail@example.com. This maps to an account in AAD allowing the FP to assert to the AAD waiting ACS endpoint – that duly authenticated the user and allows the AAD AD to mint an authorization code that is delivered to the phone app:
which turns around and converts the code into a token set:
now, our IDP itself used an STS, communicating with it using the ws-trust v1.3 protocol. This confirmed the challenge parameters (of andy/1234). the WS-fedP IDP itself minted a local session and forms auth cookie in the name of rapbroker (per the configuration of the IDP):
So, all in all, the phone called our IDP using the URI;
if a webview on the phone now navigates to
we see this request to the same IDP (acting upon the forms auth cookie, now) we see the IDP mint an assertion now in the name of the (then current) session holder and targeting the SP site that is NOT governed by the AAD regime (or US export rules, as projected globally by Microsoft)
Or we WOULD were it not for the fact that the login view in the ADAL IOS toolkit is unlike the MSLogin code in the azure mobile toolkit. The latter preserves cookies between calls to the login process (and to web views). The ADAL toolkit does not (since cookies and the like are not controlling the lifecycle of token refreshes). So lets figure how to injhect cookies obtained via the webview launched in the ADAL library into the webview to which we redirect our app, post login and token collection.
We are not USING our token (for anything other than controlling the UI for login prompting, logout prompting, expiry handling).