Moving to the cloud is a big decision, but you definitely won’t be alone in that sky if you decide to make the move. It has become the attractive way to
manage IT infrastructure and service costs for the future. Microsoft Office 365 (O365) is one of the most popular clouds that organizations large and small
are picking as their destination. O365 could be your best friend. You can offload a vast array of complex administration responsibilities. Just sign a
single monthly contract, and much of the pain of managing Exchange, SharePoint, and Lync automatically becomes somebody else’s job.
A question I’m commonly asked by companies planning their move to O365 is about Single Sign-On (SSO) options. If you’re going down this path, then this
article will be a big help for you and point you to some more in-depth reading to help you make your decision.
Option 1: Using Active Directory Federation Services
This first option is the built-in linking services provided by Microsoft in Active Directory, namely Active Directory Federation Services (ADFS). Microsoft introduced ADFS as a part of Windows 2003 R2. ADFS is a method to link two unlike Active Directory domains in order to simplify access to
systems and applications--such as within a partner’s network/organization--through web-based services, using SSO technology. Microsoft now offers ADFS
as a means to accomplish the same SSO capabilities with O365.
This implementation, however, comes at a high-cost and brings a long-term, on-premises support responsibility. Plus, it is quite a complex solution. Take a
peek at the Microsoft online documentation for deploying ADFS with O365, and
you can quickly get mired in its details.
I have done quite a few ADFS deployments with O365. I can say that once it’s up and running, ADFS
works quite well. But there are some serious downsides, which I've listed for you:
Downsides of ADFS:
Is complex to set up
Requires you to use/integrate Microsoft Active Directory Synchronization (MS DirSync)
Requires at least 3dedicated servers on-premises--2 for ADFS, and 1 for MS DirSync
Requires at least five dedicated servers on-premises for true High Availability (HA) and Fault Tolerance
(FT)-- 4 for ADFS and 1 for MS DirSync
Requires the purchase of an SSL certificate
Requires regular maintenance, monitoring, and up-keep of servers, along with any other servers in your on-premises environment
Requires a dependency on the uptime and availability of systems within the on-premises environment in order to sustain
connectivity/communication with your email and collaboration environments.
NOTE: If a component of your ADFS environment is down or offline, your users will not be able to access their mailboxes (email/calendars/contacts,
Option 2: DirSynch tool with password sync enabled
You might be wondering how to avoid the downsides of ADFS, but nevertheless provide the same password for your user community logging in to O365 as they use with on-premises applications. There’s another option known as Password Sync.
Password Sync is a feature of the
Microsoft Azure AD Sync tool that synchronizes user passwords from your on-premises Active Directory to Azure Active Directory (Azure AD).
This feature enables your users to log in to their Azure AD services (such as O365, CRM Online, etc.) using the same password as they
use to log in to your on-premises network. It is important to note that this feature does not provide a true SSO solution because there is no token
sharing / exchange in the Password Sync-based process. But it works.
Using Password Sync, companies can reduce the on-premises sever infrastructure requirements that come with ADFS and fully ensure that end-users can still access and authenticate to O365 resources if on-premises
infrastructure goes down.
The tradeoff is that your user passwords are moved to
the cloud and stored on a third-party directory. If that is an issue for your company security considerations, then Option 3 might be a better option.
For more information on how to install and configure DirSync with Password Sync, please see O365 – Directory Synchronization
If you currently have ADFS installed for your O365 environment to provide SSO and want to learn more about how to switch to Password Sync, go to: http://social.technet.microsoft.com/wiki/contents/articles/17857.aad-sync-how-to-switch-from-single-sign-on-to-password-sync.aspx
Option 3: Using a third-party SSO provider
Some organizations are a bit leery when it comes to having their user IDs and associated passwords synchronized with a hosted provider directory, even if
it’s managed by Microsoft. For companies that want identity and access management controlled internally rather than on the cloud. third-party vendor offer solutions for purchase.
is a leading identity management and security solution provider that I’ve followed for the past few years. They have a flagship product called SecureAuth
IdP, which is the only solution that combines true SSO with native 2-Factor Authentication (2FA) in a single package across all platforms. This is a
radical departure from the old school approach to deploying and maintaining separate authentication and SSO products–an approach that simply doesn’t
work well in today’s cloud and mobile world.
The SecureAuth solution integrates with an organization’s on-premises AD and can assert authenticated identities to
O365.This enables transparent SSO from the enterprise out to O365 and other network, web, cloud, and mobile applications.
And this model removes the need to synchronize passwords with the cloud-based AD in O365. It’s a very full-featured security solution. Not
only can SecureAuth IdP assert identities to O365 via WS-Federation and WS-Trust, but it can also assert the same identities into other applications that
communicate differently, such as with SAML.
Weigh the options
The bottom line is that you should seriously weigh all of your options before investing in ADFS to be a part of your O365 solution for SSO. Especially for
small and medium-sized organizations, the better option may be a tool like DirSync with Password Sync, or a hosted model that
provides SSO capabilities at a small cost and doesn’t open you to the security ramifications of synchronizing user passwords to the cloud.
Plan for directory synchronization for Office 365
Office 365 DirSync Content Map
Using SecureAuth to provide SSO for O365