Federating Office 365 — an ADFS Alternative

So you have finally taken the plunge and decided to adopt Office 365. But as you embark on the Software-as-a-Service (SaaS) journey you come to realize that, as you adopt more and more SaaS applications, managing all these different logins could turn into a nightmare in the future. Not only would you have to touch each application when a new employee starts, but more importantly when an employee leaves.

You start asking yourself questions like how do I manage to turn off access to all these cloud applications and how do I reclaim all the licenses from employees that have left? And how can I deliver full “lifecycle management” for the identities of my users?

So you look around and you come across some articles that talk about how you can federate your SaaS applications including Office 365, and some are talking about using Microsoft Active Directory Federation Service aka ADFS. Great, you found the solution to your problem, the answer to your prayers…but once you start digging in deeper you come to realize that deploying ADFS may not be what it’s cracked up to be.

And why’s that?  Well, while the premise behind ADFS may seem simple on paper, the reality is much more complicated.  Let me explain.

Deploying ADFS comes with a lot of limits and caveats. First it requires some substantial work, and you’ll have to incur additional expenses in licenses and hardware.  Plus you have to use specific software for it to operate as expected.  And most companies do not have the experience and expertise to deploy ADFS correctly without running the risk of missing critical steps to ensure it is working properly.

For example, once you start reading through the requirements and steps needed to deploy ADFS may make you feel like you have bitten off more than you can chew (but don’t take my word for it, read for yourself).

ADFS-Topology - Copy But let me sum it up for you…

  • ADFS does not support automated account provisioning and de-provisioning  into SaaS applications
  • ADFS is very complicated to deploy with critical steps that can’t be skipped, but can be missed
  • It requires specific software and is depended on other servers like SQL
  • It requires expertise to deploy and maintain
  • Lacks depth of supported SaaS applications

The fact is, you’ll need to deploy at least four ADFS servers, two in your datacenter and two more in your DMZ acting as proxy. That task alone can take days and sometimes weeks. Your ADFS servers need to have an SQL database they can connect to. Then you’ll need to deploy SSL certificates and ensure that all hosts are setup to interact correctly. But there is more, now that you have deployed all servers, certificates and additional software that you need to get this working you have to maintain that on an ongoing basis. That is expensive both financially and expertise-wise. And six months later when you want to add any additional applications to your carefully deployed ADFS setup you come to realize that integrating SSO for an application such as Salesforce.com, Concur, AWS or any other SaaS app is almost the same large task as the deployment in the first place.

I could go on for much longer, but I will spare you.

The good news is that there is an alternative. With the Centrify Identity Service you can federate your Office 365 with your on-premises Active Directory in under 5 minutes*.

Centrify Topology - Copy

But don’t just take my word for it, watch the video (below) where I ran an ADFS and Centrify deployment side-by-side. What I have done prior to setting up Centrify or ADFS, is that I have configured the Office 365 domains (setting up DNS and enabling AD sync, takes about 5-10 min*) and I installed and configured the base Win2012R2 server on which I am running the ADFS wizard. But the same is true for the system on which I am installing the Centrify Cloud Connector… so that’s just fair. Besides that it is a side-by-side comparison between Centrify and ADFS federating your on-premises AD with Office 365. See for yourself how far I got with ADFS setup in the same time that it took me to federate my Office 365 with Centrify and log into Office 365 using my Active Directory credentials.

So, besides the obvious time savings and the ease of deployment with Centrify you are also gaining the following benefits:

  • SSO to Cloud and Mobile apps with a catalog of over 3,000 preconfigured applications.
  • Automated Account Management. Save time by automatically creating or updating user accounts with role-based permission provisioning across apps based on their Active Directory group membership or upon Active Directory account creation and prevent unauthorized access by automatically revoking access to all apps at once upon employee departure.
  • Context-aware, step-up authentication based on per-app policy. Apply multi-factor authentication with discrete per-app policy, global policy or combinations using SMS, email, voice or secure OTP.
  • Integrated Mobile Device and App Management. Secure and manage the devices used to access cloud and mobile apps through fully-integrated mobile device and app management capabilities. Push apps, policies, certificates, configuration profiles and more — and pull it all back when devices are lost or stolen.
  • Create accounts, automate app requests with workflows and revoke access from all devices when necessary — from a central control point.
  • Meet complex compliance requirements.

I can go on, but check out the video below, or visit our Office 365 solution page.