Nimbostratus
CirrusSo, I looked at the article and further PSSO definition, and I don't quite fully understand exactly how it works yet - but I am guessing that if ADFS sets PSSO cookie and sends that claim to Azure AD, then Azure AD will be sending persistent cookies for Sharepoint Online to the browser. Do you know if that is the case?
NimbostratusNo idea. We were on a call with Microsoft, but unfortunately they only knew how to configure the ADFS portion and had no idea what transpires at a protocol level.
One of my colleagues did find this information which looks promising though:
' target="_blank" rel="nofollow">http://schemas.microsoft.com/2014/03/psso">; true
Dug around looking to convert MS Claims to SAML; found a bunch of stuff but this was most interesting.
The customer is not keen for us to be experimenting in their environment, so would be great to get some information whether this would be the solution to their issue and whether anything needs to be done on the Azure side of things.
CirrusYes, the problem is that it's from WS-Trust format. Normally, AzureAD is consuming a SAML 1.1 payload wrapped in WS-Trust wrapper, ultimately this is called WS-Fed. :)
So, I've tried to send similar attributes to them via SAML 2.0, and they are getting ignored and persistent SSO does not seem to happen. We need to find out from Microsoft whether they are capable of ingesting any SAML attributes when federating using logon using SAML instead of WS-Fed.