Professional Documents
Culture Documents
ADFS Theory
ADFS Theory
Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by
Microsoft. As a component of Windows Server operating systems, it provides users with
authenticated access to applications that are not capable of using Integrated Windows
Authentication (IWA) through Active Directory (AD).
Developed to provide flexibility, ADFS gives organizations the ability to control their
employees’ accounts while simplifying the user experience: employees only need to remember a
single set of credentials to access multiple applications through SSO.
ADFS is able to resolve and simplify these third-party authentication challenges, but does come
with certain risks and disadvantages.
ADFS solves the problem of users who need to access AD integrated applications while working
remotely, offering a flexible solution whereby they can authenticate using their standard
organizational AD credentials via a web interface. It allows users from one organization to
access the applications of another organization beyond the realm of their AD domain. Examples
include applications in a partner organization or modern cloud services, which now form part of
many organizations’ extended IT landscape.
Over 90% of organizations use Active Directory, which means many use ADFS as well.
Even though ADFS is a free feature on Windows Server, commissioning ADFS requires a
Windows Server license and a server to host the ADFS service, which comes at a cost to the
organization. Notably, the cost of a server license has increased since the release of Windows
Server 2016, with licensing now based on a per core basis.
Over and above the direct costs of commissioning ADFS, organizations also need to consider the
ongoing operational costs of managing and maintaining an ADFS service. Trusts between AD
domains need to be maintained by employees with deep technical skills and ADFS servers need
to be patched, updated and backed up on a regular basis. In addition, since ADFS is a critical
service, high availability is key. Depending on how it is configured, ADFS can cost more than
anticipated: both directly as more infrastructure is required, and indirectly as complexity
increases.
Overall complexity
Security risks
An out-of-the-box, standard install of ADFS is not as secure as it can be. In order to properly
secure it, there are multiple steps that IT needs to perform. In addition, as ADFS runs on a
Windows Server, that too needs to be hardened and secured to ensure the solution is not at risk.
Third-party cloud-based identity services can possess features that match, and in some instances
surpass, those of ADFS. Cloud identity solutions are more cost effective due to the lower
operational overhead needed to run them; beyond that, they have built-in high availability and
seamless integration with hundreds of applications. Okta provides secure cloud based identity
solutions for its users—solutions that will not only solve authentication challenges, but that
will also keep security consistently front-of-mind.
Learn more about how to avoid the hidden costs of ADFS and find the right authentication
solutions for your enterprise.