What is ADFS?

Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by
Microsoft. As a component of Windows Server operating systems, it provides users with
authenticated access to applications that are not capable of using Integrated Windows
Authentication (IWA) through Active Directory (AD).

Developed to provide flexibility, ADFS gives organizations the ability to control their
employees’ accounts while simplifying the user experience: employees only need to remember a
single set of credentials to access multiple applications through SSO.

How does ADFS work?

ADFS manages authentication through a proxy service hosted between AD and the target
application. It uses a Federated Trust, linking ADFS and the target application to grant access to
users. This enables users to log onto the federated application through SSO without needing to
authenticate their identity on application directly.

The authentication process generally follows these four steps:

 The user navigates to a URL provided by the ADFS service.

 The ADFS service then authenticates the user via the organization’s AD service.
 Upon authenticating, the ADFS service then provides the user with an authentication claim.
 The user’s browser then forwards this claim to the target application, which either grants or
denies access based on the Federated Trust service created.

Why do companies use ADFS?

ADFS was born out of the need to overcome the authentication challenges created by AD in an
increasingly connected online world. AD and IWA have set limitations when it comes to modern
authentication, and cannot authenticate users accessing AD integrated applications externally.
This is a challenge in the modern workplace, where users often need to access applications that
are not owned or managed by their AD organization.

ADFS is able to resolve and simplify these third-party authentication challenges, but does come
with certain risks and disadvantages.

ADFS solves the problem of users who need to access AD integrated applications while working
remotely, offering a flexible solution whereby they can authenticate using their standard
organizational AD credentials via a web interface. It allows users from one organization to
access the applications of another organization beyond the realm of their AD domain. Examples
include applications in a partner organization or modern cloud services, which now form part of
many organizations’ extended IT landscape.
Over 90% of organizations use Active Directory, which means many use ADFS as well.

What are the risks and disadvantages?

ADFS does have its drawbacks, which make it far from an ideal authentication solution. These
disadvantages include the hidden infrastructure and maintenance costs, as well as security risks.

Even though ADFS is a free feature on Windows Server, commissioning ADFS requires a
Windows Server license and a server to host the ADFS service, which comes at a cost to the
organization. Notably, the cost of a server license has increased since the release of Windows
Server 2016, with licensing now based on a per core basis.

Hidden maintenance costs

Over and above the direct costs of commissioning ADFS, organizations also need to consider the
ongoing operational costs of managing and maintaining an ADFS service. Trusts between AD
domains need to be maintained by employees with deep technical skills and ADFS servers need
to be patched, updated and backed up on a regular basis. In addition, since ADFS is a critical
service, high availability is key. Depending on how it is configured, ADFS can cost more than
anticipated: both directly as more infrastructure is required, and indirectly as complexity
increases.

Overall complexity

Commissioning, configuring, and maintaining an ADFS solution is not a simple undertaking.

Furthermore, each time an application is added to an ADFS service the process is time-
consuming and technically intricate, which hinders IT agility.

Security risks

An out-of-the-box, standard install of ADFS is not as secure as it can be. In order to properly
secure it, there are multiple steps that IT needs to perform. In addition, as ADFS runs on a
Windows Server, that too needs to be hardened and secured to ensure the solution is not at risk.

ADFS vs. Cloud identity

There is no doubt ADFS does have some advantages that make it a popular choice for
organizations looking for a federated identity solution. However, ADFS does have distinct
disadvantages that cannot be ignored.

Third-party cloud-based identity services can possess features that match, and in some instances
surpass, those of ADFS. Cloud identity solutions are more cost effective due to the lower
operational overhead needed to run them; beyond that, they have built-in high availability and
seamless integration with hundreds of applications. Okta provides secure cloud based identity
solutions for its users—solutions that will not only solve authentication challenges, but that
will also keep security consistently front-of-mind.

Learn more about how to avoid the hidden costs of ADFS and find the right authentication
solutions for your enterprise.