The comparisons in this article seem a bit off to me. Namely between options 1 and 3. First the lack of downsides to option 3. As an onsite solution, so it has the same hardware dependent issues as ADFS if you''''re concerned about HA/FT. Also you list requirements, that aren''''t requirements. In the simplest config, using a proxy server isn''''t a hard requirement, just a recommendation. Nor does dirsync need a physical dedicated box. It does very little in 3 hour intervals. So stack it or virtualize. Also, this article was published after MS allowed it to run directly from a DC. Unless SecureAuth supports running directly from the DC, it doesn''''t seem like there is any deployment advantage over ADFS. Which is free if you''''re already running Windows Server.