I have found dozens of forum posts related to SharePoint 2013's app model and, in particular, the inability for claims to be passed to the separate domain that SP2013 applications run on.
For example, if I have portal.contoso.com. The "best practices" suggestions (especially related to security) are to create a separate app domain for hosting SharePoint applications (I.e. *.contosoapps.com, rather than *.apps.contoso.com - a sub domain should not be used).
The problem with this whole app model is that that it breaks SSO (single sign-on). In fact, it means that every app added to any page will cause an additional login prompt.
Some have suggested adding the *.contosoapps.com domain to the Intranet zone in Internet Explorer, but that is unacceptable in that it doesn't work for the internet.
Others have suggested that 99% of internet or public facing sites should be http and not require https/ssl, and I think those people are, honestly, clueless. Nowhere near 90%, let alone 70%, let alone 30% of SHAREPOINT sites should be using http for public facing sites. In fact, I would argue that 100% should be using SSL.
So, has this been fixed? If not, the new application model falls flat on it face - immediately - and becomes completely worthless.
NOTE: I have an ADFS 2.X server farm and all Internet sites authentic using either Windows Authentication or via ADFS. The SharePoint farm has all the trust relationships setup, so what is the deal with this?
Why doesn't the SharePoint application model seem to use the claims passed within the web browser?Why can't the app model pass claims seamlessly. Or, it can... ??? How??
What is up here?