SlideShare a Scribd company logo

Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)

O
Okta-Inc

The document discusses the shortcomings of Active Directory Federation Services (AD FS), highlighting significant costs associated with server setup, configuration, and maintenance, as well as limited app support and features. It contrasts AD FS with Okta's cloud-based identity management solution, which offers superior return on investment, ease of use, and enhanced functionality such as real-time user synchronization and pre-integrated applications. The document concludes by promoting Okta as a more comprehensive and efficient alternative for managing identities and access across various platforms.

Technology
Related topics:
Identity Management
1 of 75
Downloaded 240 times
1
2
3
4
5
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Kick the AD FS Habit
Agenda -  Trends in IT à How They Affect Identity -  AD FS Overview, Costs, and Shortcomings -  Okta’s Approach to AD Integration -  Q&A okta confidential 2
What We’ll Show Today okta confidential 3 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
Applications Devices People
Applications Devices People Identity
Applications Devices People +  Custom,  +  Cloud,  +  Mobile    Applications Devices People +  iPhone,  Android,  +  iPad   +  Remote,  +  Partners,  +  Customers     Identity
Pain for end users
Pain for IT Time consuming user provisioning
? Pain for Security Team
•  Service •  Enterprise Grade •  Integrated •  Future Proof •  Easy to Use “Cloud  IAM  Has  Superior  ROI”   “Cloud  IAM  is  the  best  op9on;  310%  ROI  over  manual     processes,  90%  reduc9on  of  opera9ons  vs.  on-­‐prem  solu9ons.”     “By the end of 2015, IDaaS will account for 40% of all new IAM sales”   •  HW, SW, Infrastructure •  Services Intense •  Connector Treadmill •  Forklift Upgrades AD  FS  2.0  
AD FS Overview okta confidential 11
okta confidential 12 Your Network Firewall Internet Active Directory User storeUser store On-prem Apps What to Use Here? How to connect these cloud apps to Active Directory?
Source: microsoft.com
Source: technet.microsoft.com
AD FS – High Level 15 Source: technet.microsoft.com okta confidential 15
AD FS – High Level Server Farm? Source: technet.microsoft.com okta confidential 16
Step 1: Deploy Your Federation Server Farm okta confidential 17 Source: technet.microsoft.com -  Dedicated servers behind your corporate network -  Double server count for HA
Step 2: Deploy Your Federation Server Proxies okta confidential 18 Source: technet.microsoft.com -  Dedicated proxy servers in your DMZ (!) -  Double server count for HA
How Many Servers are We Talking About? okta confidential 19 Number of users accessing the cloud service Minimum number of servers to deploy 1,000 to 15,000 users 2 dedicated federation servers + 2 dedicated federation server proxies 15,000 to 60,000 users Between 3 and 5 dedicated federation servers + At least 2 dedicated federation server proxies Source: technet.microsoft.com 4-7 dedicated servers for one cloud application Half of these are deployed in your DMZ
…we’re not done okta confidential 20 Source: technet.microsoft.com Even more servers to run the database that holds configuration
SQL Servers added to the mix… okta confidential 21
Don’t forget your Certificates okta confidential 22 Certificate type Token-signing certificate Service communication certificate Token-decryption certificate Source: technet.microsoft.com Separate certificates for each server Must be purchased from a CA Must be managed and renewed
The true costs of AD FS… okta confidential 23 Year One Year Two Year Three Total Support & Maintenance Setup (Time) + Hardware Costs $25k - $50k for first app
Year One Year Two Year Three Total …are costs that grow over time okta confidential 24 More apps = more cost
Example: Office365 okta confidential 25 Source: perficient.com/Partners/Microsoft
okta confidential 26 Source: perficient.com/Partners/Microsoft
okta confidential 27 Source: blog.force365.com/salesforce-sso-with-adfs-2-0/ Example:
AD Integration with Okta – 30 minutes or less okta confidential 28 Download AD Agent, Install on Windows Machine 1 Configure Agent: Directory Location, Credentials 3 Configure import rules 4 Internet Firewall Your Network AD Domain Controller Okta Agent https://yourcompany.okta.com 2 •  Enter Okta URL and credentials •  HTTPS from company to Okta •  No firewall configuration necessary
okta confidential 29
okta confidential 30
okta confidential 31
okta confidential 32
okta confidential 33
okta confidential 34
okta confidential 35
okta confidential 36
okta confidential 37
okta confidential 38
It’s Not Just About Cost okta confidential 39 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
Okta Overview Enterprise Identity, Delivered okta confidential 40
All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
okta confidential 45
All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors
1,000’s of Applications
Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors
Okta Powered Customer & Partners Portals Manage identities outside your firewall Customers Partners Cloud Apps On Premise Apps Porta l Username Password
Okta AD Integration Details
Active Directory Integration with Okta okta confidential 52 Remote users authenticate with AD username and password 1 Local users transparently authenticate using Integrated Windows Authentication 2 Access policies driven by AD security groups 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Group Sales Firewall
Active Directory Integration with Okta okta confidential 53 Remote users authenticate with AD username and password 1 Local users transparently authenticate using Integrated Windows Authentication 2 Access policies driven by AD security groups 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Group Sales Firewall• Simple agent install, no network configuration required • Multiple agents supported for High Availability Easy to Use, Just Works • Real-time Synchronization with AD (no scheduled imports needed) • Automatic De-Activation in Okta of Disabled/Deleted Users • Delegate Authentication for Okta to AD Broad Functionality • Integration into Windows Desktop Login Tight Windows Integration
Setting Up AD Integration with Okta okta confidential 54 Download AD Agent, Install on Windows Machine 1 Configure Agent: Directory Location, Credentials 3 Configure import rules 4 Internet Firewall Your Network AD Domain Controller Okta Agent https://yourcompany.okta.com 2 •  Enter Okta URL and credentials •  HTTPS from company to Okta •  No firewall configuration necessary
Real Time AD User Synchronization okta confidential 55 Internet Firewall Your Network AD Domain Controller Okta Agent (On Windows Server) https://yourcompany.okta.com 3 Users provisioned, de-provisioned, application assignments based on security group membership AD Agent dynamically looks for changes in AD, makes HTTPS connection to Okta 1 Okta gets real time updates, makes user and group changes as needed 2 okta confidential 55
Delegated Authentication to AD okta confidential 56 Internet Firewall Your Network AD Domain Controller Okta Agent (On Windows Server) https://yourcompany.okta.com User logs into https://yourcompany.okta.com using Okta username & AD password 1 Okta communicates to AD Agent via persistent connection to validate credentials 2 Agent responds with success or failure 3 Okta returns Cloud App homepage (success) or failure message 4 Inside/Outside Network okta confidential 56
Desktop SSO Firewall 2 1 AD Domain Controller Get To Cloud Apps with NO Login Page •  User logs on to domain •  Can then access Cloud apps with no additional login Secure: Uses Integrated Windows Authentication (Kerberos) Easy to deploy: Leverages light weight agent running under IISOkta IWA Agent okta confidential 57
User Provisioning with Active Directory New employees created in Active Directory 1 Applications provisioned centrally through Okta 2 Okta login using AD credentials. Immediate SSO Access to Apps 3 AD Domain ControllerOkta Agent Firewall okta confidential 58
okta confidential 59
All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP Increase Productivity Reduce IT Costs Strengthen Security
3,300 users | 100 apps “Cloud IAM is the best option, providing 310% ROI over manual processes” - Forrester Research, October 2012 > $10M savings
Okta was named a Leader (highest ranking)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
•  First true Cloud IAM service •  Full suite of IAM features (SSO, provisioning, analytics) •  Bridges existing user stores (AD / LDAP) to the cloud •  Connects to legacy on-prem IAM software Modern Identity Management Dedicated Support •  24 / 7 / 365 Premier Support Team •  SmartStart Professional Services Team •  Training and Education Team Veteran Team “Okta is the gold standard of companies we’ve worked with.” “Okta makes our problems their own and it’s why we can rely on them to make us successful.”
What We Covered okta confidential 66 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
AD FS •  100% Multi-Tenant, Fully Managed •  Always On •  Features and Capacity On Demand •  No changes required to AD infrastructure Cloud Service, Built in HA •  You install, configure & manage •  Redundancy for HA = more HW •  Must maintain as apps change •  Control who has access to which app •  Easily map different username formats •  Quickly import, match, rollout Access Management •  Create & manage custom attributes •  Every app may require changes •  No concept of user import, matching User Provisioning, De-Provisioning •  Easily add/remove users and access •  Drive directly from AD, security groups •  Pre-integrated with your applications •  None Logging & Reporting •  Better visibility into access and usage •  Easy to access from Okta admin UI •  None Application Integrations •  1,500+ Pre-integrated apps •  No engineering to configure, maintain •  SSO with any app, not just SAML •  User Mgmt integrations •  You build, maintain every integration •  Only supports SAML, WS-* •  Only single sign-on okta confidential 67
-  Download the AD FS whitepaper -  Start a free trial of Okta for unlimited apps -  Use Okta for free for one app Getting Started with Okta okta confidential 68
okta confidential 69 okta.com/free
ADFS Terminology okta confidential 70 AD  FS  2.0  term   Defini>on   AD  FS  2.0  configura9on   database   A  database  used  to  store  all  configura9on  data  that  represents  a  single  AD  FS  2.0  instance  or  Federa9on   Service.  This  configura9on  data  can  be  stored  using  the  Windows  Internal  Database  (WID)  feature   included  with  Windows  Server  2008  and  Windows  Server  2008  R2  or  using  a  MicrosoS  SQL  Server   database.   Claim   A  statement  that  one  subject  makes  about  itself  or  another  subject.  For  example,  the  statement  can  be   about  a  name,  email,  group,  privilege,  or  capability.  Claims  have  a  provider  that  issues  them  and  they  are   given  one  or  more  values.  They  are  also  defined  by  a  claim  value  type  and,  possibly,  associated   metadata.   Federa9on  Service   A  logical  instance  of  AD  FS  2.0.  A  Federa9on  Service  can  be  deployed  as  a  standalone  federa9on  server   or  as  a  load-­‐balanced  federa9on  server  farm.  You  can  configure  the  name  of  the  Federa9on  Service  using   the  AD  FS  2.0  Management  snap-­‐in.  The  DNS  name  of  the  Federa9on  Service  must  be  used  in  the  Subject   name  of  the  Secure  Sockets  Layer  (SSL)  cer9ficate.   Federa9on  server   A  computer  running  Windows  Server  2008  or  Windows  Server  2008  R2  that  has  been  configured  to  act  in   the  federa9on  server  role.  A  federa9on  server  serves  as  part  of  a  Federa9on  Service  that  can  issue,   manage,  and  validate  requests  for  security  tokens  and  iden9ty  management.  Security  tokens  consist  of  a   collec9on  of  claims,  such  as  a  user's  name  or  role.   Source: technet.microsoft.com
ADFS Terminology - continued okta confidential 71 AD  FS  2.0  term   Defini>on   Federa9on  server  farm   Two  or  more  federa9on  servers  in  the  same  network  that  are  configured  to  act  as  one  Federa9on   Service  instance.   Federa9on  server  proxy   A  computer  running  Windows  Server  2008  or  Windows  Server  2008  R2  that  has  been  configured  to  act   as  an  intermediary  proxy  service  between  a  client  on  the  Internet  and  a  Federa9on  Service  that  is   located  behind  a  firewall  on  a  corporate  network.     Relying  party   A  Federa9on  Service  or  applica9on  that  consumes  claims  in  a  par9cular  transac9on.   Relying  party  trust   In  the  AD  FS  2.0  Management  snap-­‐in,  a  relying  party  trust  is  a  trust  object  that  is  created  to  maintain   the  rela9onship  with  another  Federa9on  Service,  applica9on,  or  service  (in  this  case  with  Google  Apps   or  Salesforce.com)  that  consumes  claims  from  your  organiza9on’s  Federa9on  Service.   Network  load  balancer   A  dedicated  applica9on  (such  as  Network  Load  Balancing)  or  hardware  device  (such  as  a  mul9layer   switch)  used  to  provide  fault  tolerance,  high  availability,  and  load  balancing  across  mul9ple  nodes.  For   AD  FS  2.0,  the  cluster  DNS  name  that  you  create  using  this  NLB  must  match  the  Federa9on  Service   name  that  you  specified  when  you  deployed  your  first  federa9on  server  in  your  farm.   Source: technet.microsoft.com
Summary – ADFS Pros and Cons okta confidential 72 •  Just a Windows Server Role •  Flexible SAML, WS-FED solution •  Tight AD integration Pros •  Difficult to configure •  Difficult to make production ready •  Limited application coverage •  No re-use (must set up for each app) •  No provisioning •  No reporting •  No policy controls Cons
okta confidential 73 How are accounts created? How do users authenticate? How does IT manage these accounts? How are accounts de-provisioned? Solution: Connect AD to the Cloud
okta confidential 74
okta confidential 75

More Related Content

PDF
5 Top Enterprises Making IAM a Priority
Okta-Inc
 
PDF
Modern Requirements and Solutions for Privileged Access Management (PAM)
Enterprise Management Associates
 
PPTX
Identity and Access Management Playbook CISO Platform 2016
Aujas
 
PPTX
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc
 
PDF
Microsoft 365 Security and Compliance
David J Rosenthal
 
PPTX
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
PDF
Modern Devices Management
Atanas Gergiminov
 
PDF
Building a Customer Identity and Access Management (CIAM) Solution
WSO2
 
5 Top Enterprises Making IAM a Priority
Okta-Inc
 
Modern Requirements and Solutions for Privileged Access Management (PAM)
Enterprise Management Associates
 
Identity and Access Management Playbook CISO Platform 2016
Aujas
 
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc
 
Microsoft 365 Security and Compliance
David J Rosenthal
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
Modern Devices Management
Atanas Gergiminov
 
Building a Customer Identity and Access Management (CIAM) Solution
WSO2
 

What's hot (20)

PPTX
IT Asset management presentation
Ashita Mehra
 
PPTX
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Lance Peterman
 
PPTX
M365 e3 and identity and threat protection and compliance new skus
SpencerLuke2
 
PPTX
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IBM Sverige
 
PDF
Introduction to Microsoft 365 Enterprise
Robert Crane
 
PPT
Building Your Roadmap Sucessful Identity And Access Management
Government Technology Exhibition and Conference
 
PPTX
Identity and Access Management Introduction
Aidy Tificate
 
PDF
Introduction of Service Assurance Domain
Shilpin Pvt. Ltd.
 
PPS
OSS Service Assurance -Concept Presentation by Biju M Rr
Biju M R
 
PDF
IDENTITY ACCESS MANAGEMENT
Prof. Jacques Folon (Ph.D)
 
PDF
005. Ethics, Privacy and Security
Arianto Muditomo
 
PDF
Identity and Access Management 101
Jerod Brennen
 
PPTX
Acronis presentation
InteractiveIdeas
 
PPTX
Microsoft Information Protection: Your Security and Compliance Framework
Alistair Pugin
 
PPT
The business value of managed services: Findings from IDC research sponsored...
IBM Services
 
PPTX
Data Loss Prevention from Symantec
Arrow ECS UK
 
PDF
Overview of Data Loss Prevention Policies in Office 365
Dock 365
 
PDF
Vulnerability Management
asherad
 
PPTX
Identity & access management
Vandana Verma
 
PDF
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
IT Asset management presentation
Ashita Mehra
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Lance Peterman
 
M365 e3 and identity and threat protection and compliance new skus
SpencerLuke2
 
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IBM Sverige
 
Introduction to Microsoft 365 Enterprise
Robert Crane
 
Building Your Roadmap Sucessful Identity And Access Management
Government Technology Exhibition and Conference
 
Identity and Access Management Introduction
Aidy Tificate
 
Introduction of Service Assurance Domain
Shilpin Pvt. Ltd.
 
OSS Service Assurance -Concept Presentation by Biju M Rr
Biju M R
 
IDENTITY ACCESS MANAGEMENT
Prof. Jacques Folon (Ph.D)
 
005. Ethics, Privacy and Security
Arianto Muditomo
 
Identity and Access Management 101
Jerod Brennen
 
Acronis presentation
InteractiveIdeas
 
Microsoft Information Protection: Your Security and Compliance Framework
Alistair Pugin
 
The business value of managed services: Findings from IDC research sponsored...
IBM Services
 
Data Loss Prevention from Symantec
Arrow ECS UK
 
Overview of Data Loss Prevention Policies in Office 365
Dock 365
 
Vulnerability Management
asherad
 
Identity & access management
Vandana Verma
 
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
Ad

Viewers also liked (19)

PDF
Company and Market Overview
Okta-Inc
 
PDF
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
Okta-Inc
 
PDF
Extending Active Directory to Box for Seamless IT Management
Okta-Inc
 
PPTX
Ppt okta
Novya Rismawan
 
PPTX
KMS at Okta - Intermediate Level
Jon Todd
 
PPTX
ECS and Docker at Okta
Jon Todd
 
PDF
Migration SUN/Oracle vers OpenLDAP : évitez les pièges !
LINAGORA
 
PDF
London Devops #9 - Security at a startup
Neil Saunders
 
PDF
How to Automate User Provisioning
OneLogin
 
PPTX
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
OneLogin
 
PDF
How to increase your understanding of application usage with LeanIX and OneLo...
LeanIX GmbH
 
PDF
63 Requirements for CASB
Kyle Watson
 
PDF
Okta Directory Integration for Microsoft Office365 - from Atidan
David J Rosenthal
 
PPTX
Identity intelligence: Threat-aware Identity and Access Management
Prolifics
 
PPTX
User Creation and Authentication in Remedyforce
BMC Software
 
PPTX
Azure API Apps
BizTalk360
 
PPTX
CASBs and Office 365: The Security Menace
Bitglass
 
PDF
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
North Texas Chapter of the ISSA
 
Company and Market Overview
Okta-Inc
 
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
Okta-Inc
 
Extending Active Directory to Box for Seamless IT Management
Okta-Inc
 
Ppt okta
Novya Rismawan
 
KMS at Okta - Intermediate Level
Jon Todd
 
ECS and Docker at Okta
Jon Todd
 
Migration SUN/Oracle vers OpenLDAP : évitez les pièges !
LINAGORA
 
London Devops #9 - Security at a startup
Neil Saunders
 
How to Automate User Provisioning
OneLogin
 
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
OneLogin
 
How to increase your understanding of application usage with LeanIX and OneLo...
LeanIX GmbH
 
63 Requirements for CASB
Kyle Watson
 
Okta Directory Integration for Microsoft Office365 - from Atidan
David J Rosenthal
 
Identity intelligence: Threat-aware Identity and Access Management
Prolifics
 
User Creation and Authentication in Remedyforce
BMC Software
 
Azure API Apps
BizTalk360
 
CASBs and Office 365: The Security Menace
Bitglass
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
North Texas Chapter of the ISSA
 
Ad

Similar to Avoiding the Hidden Costs of Active Directory Federation Services (AD FS) (20)

PPTX
Oktane13-O365_v2-JGAZARIK-OKTA
Joseph Gazarik, MCSE, VCP, ITSMv3 Foundation
 
PPTX
Oktane13-O365_v3_custom_SKO
Joseph Gazarik, MCSE, VCP, ITSMv3 Foundation
 
PDF
Making your Cloud Initiatives Successful
OneLogin
 
PPTX
20150924 Xylos Technology Day - Stay in control of your identity with Azure A...
Robin Vermeirsch
 
PDF
How AD has been re-engineered to extend to the cloud
LDAPCon
 
PPTX
Identity Management for Office 365 and Microsoft Azure
Sparkhound Inc.
 
PPTX
Prashant Saxena Business briefing Okta
University of Notre Dame
 
PPTX
O365-AzureAD Identity management
David Pechon
 
PDF
Cloud Identity and Extending Active Directory Off-Premises
OneLogin
 
PDF
Identity Management Buyer’s Guide for the SME
Enterprise Management Associates
 
PDF
IAM Cloud Datasheet plus Cloud Drive Mapper
Alastair Orlando
 
PPTX
Understanding Identity Management with Office 365
Perficient, Inc.
 
PPTX
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
EPC Group
 
PPTX
2. Day 2 - Identify and SSO
Huy Pham
 
PDF
How to secure and manage modern IT - Ondrej Vysek
ITCamp
 
PPT
Windows server 2003_r2
tameemyousaf
 
PPTX
Webinar: Lets talk Office 365
Novosco
 
PDF
Using Active Directory in AWS
Allice Shandler
 
PDF
Using Active Directory in AWS
TriNimbus
 
PDF
Active Directory Proposal
MJ Ferdous
 
Oktane13-O365_v2-JGAZARIK-OKTA
Joseph Gazarik, MCSE, VCP, ITSMv3 Foundation
 
Oktane13-O365_v3_custom_SKO
Joseph Gazarik, MCSE, VCP, ITSMv3 Foundation
 
Making your Cloud Initiatives Successful
OneLogin
 
20150924 Xylos Technology Day - Stay in control of your identity with Azure A...
Robin Vermeirsch
 
How AD has been re-engineered to extend to the cloud
LDAPCon
 
Identity Management for Office 365 and Microsoft Azure
Sparkhound Inc.
 
Prashant Saxena Business briefing Okta
University of Notre Dame
 
O365-AzureAD Identity management
David Pechon
 
Cloud Identity and Extending Active Directory Off-Premises
OneLogin
 
Identity Management Buyer’s Guide for the SME
Enterprise Management Associates
 
IAM Cloud Datasheet plus Cloud Drive Mapper
Alastair Orlando
 
Understanding Identity Management with Office 365
Perficient, Inc.
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
EPC Group
 
2. Day 2 - Identify and SSO
Huy Pham
 
How to secure and manage modern IT - Ondrej Vysek
ITCamp
 
Windows server 2003_r2
tameemyousaf
 
Webinar: Lets talk Office 365
Novosco
 
Using Active Directory in AWS
Allice Shandler
 
Using Active Directory in AWS
TriNimbus
 
Active Directory Proposal
MJ Ferdous
 

Recently uploaded (20)

PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Teaching material agriculture food technology
LiaRayya
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation theory and applications.pdf
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)

  • 1. Kick the AD FS Habit
  • 2. Agenda -  Trends in IT à How They Affect Identity -  AD FS Overview, Costs, and Shortcomings -  Okta’s Approach to AD Integration -  Q&A okta confidential 2
  • 3. What We’ll Show Today okta confidential 3 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
  • 6. Applications Devices People +  Custom,  +  Cloud,  +  Mobile    Applications Devices People +  iPhone,  Android,  +  iPad   +  Remote,  +  Partners,  +  Customers     Identity
  • 7. Pain for end users
  • 8. Pain for IT Time consuming user provisioning
  • 10. •  Service •  Enterprise Grade •  Integrated •  Future Proof •  Easy to Use “Cloud  IAM  Has  Superior  ROI”   “Cloud  IAM  is  the  best  op9on;  310%  ROI  over  manual     processes,  90%  reduc9on  of  opera9ons  vs.  on-­‐prem  solu9ons.”     “By the end of 2015, IDaaS will account for 40% of all new IAM sales”   •  HW, SW, Infrastructure •  Services Intense •  Connector Treadmill •  Forklift Upgrades AD  FS  2.0  
  • 11. AD FS Overview okta confidential 11
  • 12. okta confidential 12 Your Network Firewall Internet Active Directory User storeUser store On-prem Apps What to Use Here? How to connect these cloud apps to Active Directory?
  • 15. AD FS – High Level 15 Source: technet.microsoft.com okta confidential 15
  • 16. AD FS – High Level Server Farm? Source: technet.microsoft.com okta confidential 16
  • 17. Step 1: Deploy Your Federation Server Farm okta confidential 17 Source: technet.microsoft.com -  Dedicated servers behind your corporate network -  Double server count for HA
  • 18. Step 2: Deploy Your Federation Server Proxies okta confidential 18 Source: technet.microsoft.com -  Dedicated proxy servers in your DMZ (!) -  Double server count for HA
  • 19. How Many Servers are We Talking About? okta confidential 19 Number of users accessing the cloud service Minimum number of servers to deploy 1,000 to 15,000 users 2 dedicated federation servers + 2 dedicated federation server proxies 15,000 to 60,000 users Between 3 and 5 dedicated federation servers + At least 2 dedicated federation server proxies Source: technet.microsoft.com 4-7 dedicated servers for one cloud application Half of these are deployed in your DMZ
  • 20. …we’re not done okta confidential 20 Source: technet.microsoft.com Even more servers to run the database that holds configuration
  • 21. SQL Servers added to the mix… okta confidential 21
  • 22. Don’t forget your Certificates okta confidential 22 Certificate type Token-signing certificate Service communication certificate Token-decryption certificate Source: technet.microsoft.com Separate certificates for each server Must be purchased from a CA Must be managed and renewed
  • 23. The true costs of AD FS… okta confidential 23 Year One Year Two Year Three Total Support & Maintenance Setup (Time) + Hardware Costs $25k - $50k for first app
  • 24. Year One Year Two Year Three Total …are costs that grow over time okta confidential 24 More apps = more cost
  • 25. Example: Office365 okta confidential 25 Source: perficient.com/Partners/Microsoft
  • 26. okta confidential 26 Source: perficient.com/Partners/Microsoft
  • 27. okta confidential 27 Source: blog.force365.com/salesforce-sso-with-adfs-2-0/ Example:
  • 28. AD Integration with Okta – 30 minutes or less okta confidential 28 Download AD Agent, Install on Windows Machine 1 Configure Agent: Directory Location, Credentials 3 Configure import rules 4 Internet Firewall Your Network AD Domain Controller Okta Agent https://yourcompany.okta.com 2 •  Enter Okta URL and credentials •  HTTPS from company to Okta •  No firewall configuration necessary
  • 39. It’s Not Just About Cost okta confidential 39 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
  • 40. Okta Overview Enterprise Identity, Delivered okta confidential 40
  • 41. All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
  • 46. All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
  • 47. Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors
  • 49. Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors
  • 50. Okta Powered Customer & Partners Portals Manage identities outside your firewall Customers Partners Cloud Apps On Premise Apps Porta l Username Password
  • 52. Active Directory Integration with Okta okta confidential 52 Remote users authenticate with AD username and password 1 Local users transparently authenticate using Integrated Windows Authentication 2 Access policies driven by AD security groups 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Group Sales Firewall
  • 53. Active Directory Integration with Okta okta confidential 53 Remote users authenticate with AD username and password 1 Local users transparently authenticate using Integrated Windows Authentication 2 Access policies driven by AD security groups 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Group Sales Firewall• Simple agent install, no network configuration required • Multiple agents supported for High Availability Easy to Use, Just Works • Real-time Synchronization with AD (no scheduled imports needed) • Automatic De-Activation in Okta of Disabled/Deleted Users • Delegate Authentication for Okta to AD Broad Functionality • Integration into Windows Desktop Login Tight Windows Integration
  • 54. Setting Up AD Integration with Okta okta confidential 54 Download AD Agent, Install on Windows Machine 1 Configure Agent: Directory Location, Credentials 3 Configure import rules 4 Internet Firewall Your Network AD Domain Controller Okta Agent https://yourcompany.okta.com 2 •  Enter Okta URL and credentials •  HTTPS from company to Okta •  No firewall configuration necessary
  • 55. Real Time AD User Synchronization okta confidential 55 Internet Firewall Your Network AD Domain Controller Okta Agent (On Windows Server) https://yourcompany.okta.com 3 Users provisioned, de-provisioned, application assignments based on security group membership AD Agent dynamically looks for changes in AD, makes HTTPS connection to Okta 1 Okta gets real time updates, makes user and group changes as needed 2 okta confidential 55
  • 56. Delegated Authentication to AD okta confidential 56 Internet Firewall Your Network AD Domain Controller Okta Agent (On Windows Server) https://yourcompany.okta.com User logs into https://yourcompany.okta.com using Okta username & AD password 1 Okta communicates to AD Agent via persistent connection to validate credentials 2 Agent responds with success or failure 3 Okta returns Cloud App homepage (success) or failure message 4 Inside/Outside Network okta confidential 56
  • 57. Desktop SSO Firewall 2 1 AD Domain Controller Get To Cloud Apps with NO Login Page •  User logs on to domain •  Can then access Cloud apps with no additional login Secure: Uses Integrated Windows Authentication (Kerberos) Easy to deploy: Leverages light weight agent running under IISOkta IWA Agent okta confidential 57
  • 58. User Provisioning with Active Directory New employees created in Active Directory 1 Applications provisioned centrally through Okta 2 Okta login using AD credentials. Immediate SSO Access to Apps 3 AD Domain ControllerOkta Agent Firewall okta confidential 58
  • 60. All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
  • 61. All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP Increase Productivity Reduce IT Costs Strengthen Security
  • 62. 3,300 users | 100 apps “Cloud IAM is the best option, providing 310% ROI over manual processes” - Forrester Research, October 2012 > $10M savings
  • 63. Okta was named a Leader (highest ranking)
  • 65. •  First true Cloud IAM service •  Full suite of IAM features (SSO, provisioning, analytics) •  Bridges existing user stores (AD / LDAP) to the cloud •  Connects to legacy on-prem IAM software Modern Identity Management Dedicated Support •  24 / 7 / 365 Premier Support Team •  SmartStart Professional Services Team •  Training and Education Team Veteran Team “Okta is the gold standard of companies we’ve worked with.” “Okta makes our problems their own and it’s why we can rely on them to make us successful.”
  • 66. What We Covered okta confidential 66 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
  • 67. AD FS •  100% Multi-Tenant, Fully Managed •  Always On •  Features and Capacity On Demand •  No changes required to AD infrastructure Cloud Service, Built in HA •  You install, configure & manage •  Redundancy for HA = more HW •  Must maintain as apps change •  Control who has access to which app •  Easily map different username formats •  Quickly import, match, rollout Access Management •  Create & manage custom attributes •  Every app may require changes •  No concept of user import, matching User Provisioning, De-Provisioning •  Easily add/remove users and access •  Drive directly from AD, security groups •  Pre-integrated with your applications •  None Logging & Reporting •  Better visibility into access and usage •  Easy to access from Okta admin UI •  None Application Integrations •  1,500+ Pre-integrated apps •  No engineering to configure, maintain •  SSO with any app, not just SAML •  User Mgmt integrations •  You build, maintain every integration •  Only supports SAML, WS-* •  Only single sign-on okta confidential 67
  • 68. -  Download the AD FS whitepaper -  Start a free trial of Okta for unlimited apps -  Use Okta for free for one app Getting Started with Okta okta confidential 68
  • 70. ADFS Terminology okta confidential 70 AD  FS  2.0  term   Defini>on   AD  FS  2.0  configura9on   database   A  database  used  to  store  all  configura9on  data  that  represents  a  single  AD  FS  2.0  instance  or  Federa9on   Service.  This  configura9on  data  can  be  stored  using  the  Windows  Internal  Database  (WID)  feature   included  with  Windows  Server  2008  and  Windows  Server  2008  R2  or  using  a  MicrosoS  SQL  Server   database.   Claim   A  statement  that  one  subject  makes  about  itself  or  another  subject.  For  example,  the  statement  can  be   about  a  name,  email,  group,  privilege,  or  capability.  Claims  have  a  provider  that  issues  them  and  they  are   given  one  or  more  values.  They  are  also  defined  by  a  claim  value  type  and,  possibly,  associated   metadata.   Federa9on  Service   A  logical  instance  of  AD  FS  2.0.  A  Federa9on  Service  can  be  deployed  as  a  standalone  federa9on  server   or  as  a  load-­‐balanced  federa9on  server  farm.  You  can  configure  the  name  of  the  Federa9on  Service  using   the  AD  FS  2.0  Management  snap-­‐in.  The  DNS  name  of  the  Federa9on  Service  must  be  used  in  the  Subject   name  of  the  Secure  Sockets  Layer  (SSL)  cer9ficate.   Federa9on  server   A  computer  running  Windows  Server  2008  or  Windows  Server  2008  R2  that  has  been  configured  to  act  in   the  federa9on  server  role.  A  federa9on  server  serves  as  part  of  a  Federa9on  Service  that  can  issue,   manage,  and  validate  requests  for  security  tokens  and  iden9ty  management.  Security  tokens  consist  of  a   collec9on  of  claims,  such  as  a  user's  name  or  role.   Source: technet.microsoft.com
  • 71. ADFS Terminology - continued okta confidential 71 AD  FS  2.0  term   Defini>on   Federa9on  server  farm   Two  or  more  federa9on  servers  in  the  same  network  that  are  configured  to  act  as  one  Federa9on   Service  instance.   Federa9on  server  proxy   A  computer  running  Windows  Server  2008  or  Windows  Server  2008  R2  that  has  been  configured  to  act   as  an  intermediary  proxy  service  between  a  client  on  the  Internet  and  a  Federa9on  Service  that  is   located  behind  a  firewall  on  a  corporate  network.     Relying  party   A  Federa9on  Service  or  applica9on  that  consumes  claims  in  a  par9cular  transac9on.   Relying  party  trust   In  the  AD  FS  2.0  Management  snap-­‐in,  a  relying  party  trust  is  a  trust  object  that  is  created  to  maintain   the  rela9onship  with  another  Federa9on  Service,  applica9on,  or  service  (in  this  case  with  Google  Apps   or  Salesforce.com)  that  consumes  claims  from  your  organiza9on’s  Federa9on  Service.   Network  load  balancer   A  dedicated  applica9on  (such  as  Network  Load  Balancing)  or  hardware  device  (such  as  a  mul9layer   switch)  used  to  provide  fault  tolerance,  high  availability,  and  load  balancing  across  mul9ple  nodes.  For   AD  FS  2.0,  the  cluster  DNS  name  that  you  create  using  this  NLB  must  match  the  Federa9on  Service   name  that  you  specified  when  you  deployed  your  first  federa9on  server  in  your  farm.   Source: technet.microsoft.com
  • 72. Summary – ADFS Pros and Cons okta confidential 72 •  Just a Windows Server Role •  Flexible SAML, WS-FED solution •  Tight AD integration Pros •  Difficult to configure •  Difficult to make production ready •  Limited application coverage •  No re-use (must set up for each app) •  No provisioning •  No reporting •  No policy controls Cons
  • 73. okta confidential 73 How are accounts created? How do users authenticate? How does IT manage these accounts? How are accounts de-provisioned? Solution: Connect AD to the Cloud