Subscribe to the InfoTech eNewsletter

infoTECH Feature

January 09, 2013

ADFS Exposed: The Reality About this Not-So-Simple Single Sign-On

By TMCnet Special Guest
Shahin Pirooz, Chief Security Officer and CTO, CenterBeam, Inc.

To make it easier for employees to access all their mission-critical applications in the cloud, many enterprises are turning to single sign-on solutions, the most popular of which is Microsoft (News - Alert) Active Directory Federation Services (ADFS).

While the premise behind ADFS seems simple, the reality is much more complicated. 

ADFS may not be the best fit for every company, so we’ll tell you how to determine if ADFS is right for you and, if it’s not, what you should look for in a vendor to meet your needs.

Limitations of ADFS

Single sign-on solutions, like ADFS, enable enterprise employees to log on once, and use that authentication across all their services. ADFS uses an enterprise’s Active Directory to create a federation with the cloud service provider to authorize users. While you may suspect that any company using Active Directory can benefit from ADFS, it’s not necessarily true. 

When deploying ADFS, there are a number of limits and caveats, which require the enterprises to do substantial work, incur additional expense and use specific software in order for it to operate as expected. 

Implementing ADFS is complicated because a number of factors can prevent it from working correctly. Many companies do not have the resources to implement ADFS without skipping critical steps and there are few individuals who have the experience and expertise to ensure that it is deployed fully and properly.

For example, once you’ve built the ADFS infrastructure, you have to set up federation gateways so that you can connect with other cloud applications, such as (News - Alert) or enterprise resource planning tools.

Then you’ll need to deploy certificates properly to ensure that hosts are set up to interact correctly.  

Additionally, you will need to set up layers of redundancy to prevent any single point of failure. If ADFS has been implemented without this redundancy, all services with which you have federation will be inaccessible for all users should any of the required ADFS components fail.

To ensure redundancy with ADFS, enterprises will also have to invest in additional hardware and licensing.

Companies with fewer than 100 users may find that the time and effort required to build out ADFS is greater than the benefit. ADFS is best suited for larger enterprises, with the resources to deploy and manage it properly.

Is ADFS Right for You?

First and foremost, you have to decide if your company is large enough, and your IT staff has the experience needed to deploy ADFS correctly. While ADFS works well, the burden for setup and maintenance is squarely on the users’ shoulders.

You’ll also have to consider your budget. Can you afford to implement ADFS properly, including the hardware and software licensing required for building in the needed redundancies? And finally, you’ll have to determine how business-critical the services for which you’ll be using single sign-on are. If a failure occurs, can you risk having all employees without access to e-mail, the sales team unable to access Salesforce or finance unable to process end-of-month reports because they cannot authenticate to Workday?

Seeking a Single Sign-On Alternative

If ADFS is not the right fit for your company, there are other vendors – such as Hitachi (News - Alert) ID Systems, Okta, OpenID, Ping Identity and Symplified – that offer single sign-on solutions for cloud applications. As you evaluate potential vendors, you should consider:

  • Breadth of Applications Supported – Does the vendor have an open platform that supports the various vendors you use? Can you customize to gain accessibility to the applications?
  • Redundancy – How does the vendor build redundancy into their solution? Do they have replicated, redundant data centers?
  • Compliance – How does the vendor support any regulatory or corporate governance and compliance that you need to adhere to?
  • Cost – Will the identity/single sign-on solution cost more than just a small fraction of your IT budget? Will you need to deploy any other hardware or software, or engage in consultants, to ensure the solution works properly?
  • Transparency – From your employees’ perspectives, is the sign-on solution intuitive and transparent, so they do not have to “learn” yet another system and remember additional passwords to access needed applications?

It’s clear that ADFS is not right for every company’s identity needs because of its complexity, the level of expertise required for setting it up and maintaining it, and the extra hardware and software costs that can be incurred. By evaluating the applications your company uses and their importance in maintaining daily business operations, the level of IT skills in-house and your budget, you can debunk the myth that ADFS is the best and only choice, and find the identity management solution for your single-sign on needs.

Shahin Pirooz, chief security officer and chief technology officer at CenterBeam Inc., has a wealth of experience in operations management, account leadership, project management and customer relationship management. Shahin has deep technology expertise covering areas such as IT architecture (development, design, planning and implementation), as well as core tools, operating systems and programming languages. He’s an active blogger for IBM (News - Alert) and Computer Technology Review, and has contributed to Forbes, Virtual Strategy Magazine, Baseline and Enterprise Systems Journal, among others.

Edited by Braden Becker

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers