Yes - that's exactly right. In federated environments, the authentication itself is performed by the "identity provider" (IP). It the creates a token which is signed and forwarded to the consumer who trusts it. It means the app and WAAD don't do the password management. That is done by the folks who know it best - the IT admins INSIDE your organisation. If somebody forgets their password, they get it changed in AD. If somebody leaves the org, when you disable their account in AD, they are automatically locked out of not only the AD-integrated environments, but also the environments that are federated with the local AD - such as WAAD based apps.
There's a video which describes the process (using the "old" Ofice 365 directory and apps - exactly the same principles though) here: