Tuesday, 11 August 2015

Identity: Cloud for Sync vs AD FS

Lots of people using Office 356 seem to assume they just need AD FS.

What AD FS gives you primarily is Single Sign On, this also enables you to connect your Office 365 to a number of other Cloud services provided by Microsoft like CRM and Azure.

But there is a cost of AD FS.  To get this benefit you need to to build a 5 server farm, with load balancers.


This servers farm will create a number of single points of failure: load balancers, firewalls, web servers (2) of them and AD FS servers (2).  You need to create and manage these servers.

Now if you use simple sync, using AADS or AADC or what ever it will be when you read this, you need only one server and all it does is updates identities from AD, including sending a HASH or a HASH of the password.

So what it the difference for users.  Users in the worst case without AD FS 2 you users log in to their computer, they then open the web page and log in again with the same credentials.  The worst case is that they need to login twice.  Normally users just save their passwords so they only need to enter it when they change browsers or machines, or when their password changes.

From a user perspective you get maybe 10 re-entries of a password THEY MUST KNOW to get on their computer in the first place.  With Federation you get rid of those 10 actions a year, actions the staff will know in every case how to manage, at the cost of a single point of failure and 5 boxes and 2 load balances.

Frankly its hard to make the case.

If management demands SSO I would suggest you go over the facts above, point out that servers like Twitter, Facebook, Hotmail, Gmail, Instagram, and Snap Chat work across devices without Single Sing On.

You will save money and effort by treating Office 365 as what it is, a Cloud tool

No comments:

Post a Comment