I swear I did this several months ago. Doing it today made a big mess (that I cannot fix).
1. in ACS, add Azure AD as an IDP - by simply referencing the metadata. Works fine.
2. in Azure AD, added an "integrated" app with an ACS URL namespace and relying endpoint. Sort of works, but Im not sure even the registration completed. Obviously ACS is intended to be the SAML SP, with Azure AD being the IDP (and MicrosoftONline playing the role of ADFS).
2. in Visual Studio 2012, add web forms project. Use I&A tool, identifying ACS namespace. Its magic registers an RP in ACS, that notes AD as potential IDP. Works fine.
3. Azure AD still wont verify my custom domain, hosted in GoDaddy (just like all 5 my office365 custom domains hosting ADFS, etc). So Im stuck using a user provisioned in the pingtesnmicrosoft.com. But it works.
Web Forms -> ACS discover page -> Azure AD -> microsofonline.com (login aspeter@pingtest.onmicrosoft.com -> Azure AD ** STOP**
Stop because ACS RP is not properly registered as the IDPs RP. Actually gives an ACS-coded warning (that is issued by Azure AD in reality). Basically, sort of properly, Azure IDP refuses to assert on to ACS.
Id expect this to work...
2
What did work was I&A tool auto-registering a http://localhost webform site directly with Azure AD IDP. Things worked all the way up and down the path.
I just played with pure websso. I didn't play with any directory-specifics.
3. There was some VERY confusing stuff about having to register "integrated" apps under the domain name of a VERIFIED domain (also host an ADFS). THis is very confusing. I suspect there is a concept leap going on, that is befuddling me. An "APP" is not merely some SP, in the open web.
Will there be for Azure AD the ability to simply assert to a classical SP (other than the obvious testing localhost) - having simply exchanged metadata?