Single Sign-on for Office 365: ADFS and alternatives

How to select the Single Sign-on option that's best for your organization

by Karl Sand on 3/28/2014

Share this:

Article Details

Date Revised:

Applies to:
Active Directory, AD, ADFS, Microsoft Office 365, O365, SharePoint Online, SSO

Moving to the cloud is a big decision, but you definitely won’t be alone in that sky if you decide to make the move. It has become the attractive way to manage IT infrastructure and service costs for the future. Microsoft Office 365 (O365) is one of the most popular clouds that organizations large and small are picking as their destination. O365 could be your best friend. You can offload a vast array of complex administration responsibilities. Just sign a single monthly contract, and much of the pain of managing Exchange, SharePoint, and Lync automatically becomes somebody else’s job.

A question I’m commonly asked by companies planning their move to O365 is about Single Sign-On (SSO) options. If you’re going down this path, then this article will be a big help for you and point you to some more in-depth reading to help you make your decision.

Option 1: Using Active Directory Federation Services

This first option is the built-in linking services provided by Microsoft in Active Directory, namely Active Directory Federation Services (ADFS). Microsoft introduced ADFS as a part of Windows 2003 R2. ADFS is a method to link two unlike Active Directory domains in order to simplify access to systems and applications--such as within a partner’s network/organization--through web-based services, using SSO technology. Microsoft now offers ADFS as a means to accomplish the same SSO capabilities with O365.

This implementation, however, comes at a high-cost and brings a long-term, on-premises support responsibility. Plus, it is quite a complex solution. Take a peek at the Microsoft online documentation for deploying ADFS with O365, and you can quickly get mired in its details.

I have done quite a few ADFS deployments with O365. I can say that once it’s up and running, ADFS works quite well. But there are some serious downsides, which I've listed for you:

Downsides of ADFS:

  •  Is complex to set up

  • Requires you to use/integrate Microsoft Active Directory Synchronization (MS DirSync)

  • Requires at least 3dedicated servers on-premises--2 for ADFS, and 1 for MS DirSync   

  • Requires at least five dedicated servers on-premises for true High Availability (HA) and Fault Tolerance (FT)-- 4 for ADFS and 1 for MS DirSync

  • Requires the purchase of an SSL certificate   

  • Requires regular maintenance, monitoring, and up-keep of servers, along with any other servers in your on-premises environment   

  • Requires a dependency on the uptime and availability of systems within the on-premises environment in order to sustain connectivity/communication with your email and collaboration environments.  

     NOTE: If a component of your ADFS environment is down or offline, your users will not be able to access their mailboxes (email/calendars/contacts, etc.)

Option 2: DirSynch tool with password sync enabled

You might be wondering how to avoid the downsides of ADFS, but nevertheless provide the same password for your user community logging in to O365 as they use with on-premises applications. There’s another option known as Password Sync.

Password Sync is a feature of the Microsoft Azure AD Sync tool that synchronizes user passwords from your on-premises Active Directory to Azure Active Directory (Azure AD). This feature enables your users to log in to their Azure AD services (such as O365, CRM Online, etc.) using the same password as they use to log in to your on-premises network. It is important to note that this feature does not provide a true SSO solution because there is no token sharing / exchange in the Password Sync-based process. But it works.

Using Password Sync, companies can reduce the on-premises sever infrastructure requirements that come with ADFS and fully ensure that end-users can still access and authenticate to O365 resources if on-premises infrastructure goes down.

The tradeoff is that your user passwords are moved to the cloud and stored on a third-party directory. If that is an issue for your company security considerations, then Option 3 might be a better option.

For more information on how to install and configure DirSync with Password Sync, please see O365 – Directory Synchronization Installation.

If you currently have ADFS installed for your O365 environment to provide SSO and want to learn more about how to switch to Password Sync, go to:

Option 3: Using a third-party SSO provider

Some organizations are a bit leery when it comes to having their user IDs and associated passwords synchronized with a hosted provider directory, even if it’s managed by Microsoft. For companies that want identity and access management controlled internally rather than on the cloud. third-party vendor offer solutions for purchase.

SecureAuth is a leading identity management and security solution provider that I’ve followed for the past few years. They have a flagship product called SecureAuth IdP, which is the only solution that combines true SSO with native 2-Factor Authentication (2FA) in a single package across all platforms. This is a radical departure from the old school approach to deploying and maintaining separate authentication and SSO products–an approach that simply doesn’t work well in today’s cloud and mobile world.

The SecureAuth solution integrates with an organization’s on-premises AD and can assert authenticated identities to O365.This enables transparent SSO from the enterprise out to O365 and other network, web, cloud, and mobile applications.

And this model removes the need to synchronize passwords with the cloud-based AD in O365. It’s a very full-featured security solution. Not only can SecureAuth IdP assert identities to O365 via WS-Federation and WS-Trust, but it can also assert the same identities into other applications that communicate differently, such as with SAML.

Weigh the options

The bottom line is that you should seriously weigh all of your options before investing in ADFS to be a part of your O365 solution for SSO. Especially for small and medium-sized organizations, the better option may be a tool like DirSync with Password Sync, or a hosted model that provides SSO capabilities at a small cost and doesn’t open you to the security ramifications of synchronizing user passwords to the cloud.

Additional Reading:

Plan for directory synchronization for Office 365

Office 365 DirSync Content Map

Using SecureAuth to provide SSO for O365

Topic: Tutorial

Sign in with

Or register