Since its introduction with Windows Server 2008, AD FS 2.0 has been Microsoft’s answer to extending enterprise identity beyond the firewall. However, building an identity management solution with the AD FS toolkit has many hidden costs. While AD FS solves some identity challenges for Microsoft’s product family, as is typical from Microsoft, many more gaps exist when attempting to integrate with cloud or mobile applications from other vendors.
Built as a single sign-on toolkit, AD FS requires a significant investment to deploy into production and still doesn’t deliver a full identity management solution. This webinar will discuss the following AD FS hidden costs as well as free alternatives that help avoid them:
-Building-out missing features
-Setup & configuration
-Hardware & software
-Availability & reliability
-On-going maintenance
Report
Share
Report
Share
1 of 75
Download to read offline
More Related Content
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
2. Agenda
- Trends in IT à How They Affect Identity
- AD FS Overview, Costs, and Shortcomings
- Okta’s Approach to AD Integration
- Q&A
okta confidential 2
3. What We’ll Show Today
okta confidential 3
• Significant server costs
• Setup and configuration efforts
• Ongoing maintenance costs
• No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support
• No provisioning
• No reporting
• No native mobile apps
AD FS is Not A Complete Solution
10. • Service
• Enterprise Grade
• Integrated
• Future Proof
• Easy to Use
“Cloud
IAM
Has
Superior
ROI”
“Cloud
IAM
is
the
best
op9on;
310%
ROI
over
manual
processes,
90%
reduc9on
of
opera9ons
vs.
on-‐prem
solu9ons.”
“By the end of 2015, IDaaS will account
for 40% of all new IAM sales”
• HW, SW, Infrastructure
• Services Intense
• Connector Treadmill
• Forklift Upgrades
AD
FS
2.0
12. okta confidential 12
Your Network
Firewall
Internet
Active
Directory
User
storeUser
store
On-prem Apps
What to
Use Here?
How to connect these cloud apps
to Active Directory?
15. AD FS – High Level
15
Source: technet.microsoft.com
okta confidential 15
16. AD FS – High Level
Server Farm?
Source: technet.microsoft.com
okta confidential 16
17. Step 1: Deploy Your Federation Server Farm
okta confidential 17
Source: technet.microsoft.com
- Dedicated servers behind
your corporate network
- Double server count for HA
18. Step 2: Deploy Your Federation Server Proxies
okta confidential 18
Source: technet.microsoft.com
- Dedicated proxy servers in
your DMZ (!)
- Double server count for HA
19. How Many Servers are We Talking About?
okta confidential 19
Number of users accessing
the cloud service
Minimum number of servers to deploy
1,000 to 15,000 users
2 dedicated federation servers
+
2 dedicated federation server proxies
15,000 to 60,000 users
Between 3 and 5 dedicated federation servers
+
At least 2 dedicated federation server proxies
Source: technet.microsoft.com
4-7 dedicated servers for one cloud application
Half of these are deployed in your DMZ
20. …we’re not done
okta confidential 20
Source: technet.microsoft.com
Even more servers to run the database that
holds configuration
22. Don’t forget your Certificates
okta confidential 22
Certificate type
Token-signing certificate
Service communication certificate
Token-decryption certificate
Source: technet.microsoft.com
Separate certificates for each server
Must be purchased from a CA
Must be managed and renewed
23. The true costs of AD FS…
okta confidential 23
Year One Year Two Year Three Total
Support &
Maintenance
Setup (Time) +
Hardware Costs
$25k - $50k
for first app
24. Year One Year Two Year Three Total
…are costs that grow over time
okta confidential 24
More apps = more cost
28. AD Integration with Okta – 30 minutes or less
okta confidential 28
Download AD Agent,
Install on Windows Machine
1
Configure Agent:
Directory Location, Credentials
3
Configure
import rules
4
Internet Firewall Your Network
AD Domain
Controller
Okta Agent
https://yourcompany.okta.com
2
• Enter Okta URL and credentials
• HTTPS from company to Okta
• No firewall configuration necessary
39. It’s Not Just About Cost
okta confidential 39
• Significant server costs
• Setup and configuration efforts
• Ongoing maintenance costs
• No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support
• No provisioning
• No reporting
• No native mobile apps
AD FS is Not A Complete Solution
41. All Your Devices
All Your People
Desktop, Laptops,
Tablets, Smartphones,
Employees, Customers,
Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
46. All Your Devices
All Your People
Desktop, Laptops,
Tablets, Smartphones,
Employees, Customers,
Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
47. Mobile
On Prem
Cloud
On Prem Identity
LDAP
All Your Devices
All Your People
Desktop, Laptops,
Tablets, Smartphones,
Employees, Customers,
Partners, Contractors
49. Mobile
On Prem
Cloud
On Prem Identity
LDAP
All Your Devices
All Your People
Desktop, Laptops,
Tablets, Smartphones,
Employees, Customers,
Partners, Contractors
50. Okta Powered Customer & Partners Portals
Manage identities outside your firewall
Customers
Partners
Cloud Apps
On Premise Apps
Porta
l
Username
Password
52. Active Directory Integration with Okta
okta confidential 52
Remote users authenticate with
AD username and password
1 Local users transparently authenticate
using Integrated Windows Authentication
2
Access policies driven
by AD security groups
3
Remote/Mobile
Employees
Active
Directory
Employees
Okta Agent(s)
Group
Sales
Firewall
53. Active Directory Integration with Okta
okta confidential 53
Remote users authenticate with
AD username and password
1 Local users transparently authenticate
using Integrated Windows Authentication
2
Access policies driven
by AD security groups
3
Remote/Mobile
Employees
Active
Directory
Employees
Okta Agent(s)
Group
Sales
Firewall• Simple agent install, no network configuration required
• Multiple agents supported for High Availability
Easy to Use,
Just Works
• Real-time Synchronization with AD (no scheduled imports needed)
• Automatic De-Activation in Okta of Disabled/Deleted Users
• Delegate Authentication for Okta to AD
Broad
Functionality
• Integration into Windows Desktop Login
Tight Windows
Integration
54. Setting Up AD Integration with Okta
okta confidential 54
Download AD Agent,
Install on Windows Machine
1
Configure Agent:
Directory Location, Credentials
3
Configure
import rules
4
Internet Firewall Your Network
AD Domain
Controller
Okta Agent
https://yourcompany.okta.com
2
• Enter Okta URL and credentials
• HTTPS from company to Okta
• No firewall configuration necessary
55. Real Time AD User Synchronization
okta confidential 55
Internet Firewall Your Network
AD Domain
Controller
Okta Agent
(On Windows Server)
https://yourcompany.okta.com
3
Users provisioned, de-provisioned, application
assignments based on security group membership
AD Agent dynamically looks for changes in
AD, makes HTTPS connection to Okta
1 Okta gets real time updates, makes
user and group changes as needed
2
okta confidential 55
56. Delegated Authentication to AD
okta confidential 56
Internet Firewall Your Network
AD Domain
Controller
Okta Agent
(On Windows Server)
https://yourcompany.okta.com
User logs into https://yourcompany.okta.com
using Okta username & AD password
1 Okta communicates to AD Agent via persistent
connection to validate credentials
2
Agent responds with
success or failure
3 Okta returns Cloud App homepage
(success) or failure message
4
Inside/Outside Network
okta confidential 56
57. Desktop SSO
Firewall
2
1
AD Domain
Controller
Get To Cloud Apps with NO Login Page
• User logs on to domain
• Can then access Cloud apps with no additional login
Secure: Uses Integrated Windows
Authentication (Kerberos)
Easy to deploy: Leverages light
weight agent running under IISOkta IWA
Agent
okta confidential 57
58. User Provisioning with Active Directory
New employees
created in Active
Directory
1
Applications provisioned
centrally through Okta
2
Okta login using AD credentials.
Immediate SSO Access to Apps
3
AD Domain
ControllerOkta Agent
Firewall
okta confidential 58
60. All Your Devices
All Your People
Desktop, Laptops,
Tablets, Smartphones,
Employees, Customers,
Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
61. All Your Devices
All Your People
Desktop, Laptops,
Tablets, Smartphones,
Employees, Customers,
Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
Increase Productivity
Reduce IT Costs
Strengthen Security
62. 3,300 users | 100 apps
“Cloud IAM is the best option, providing
310% ROI over manual processes”
- Forrester Research, October 2012
> $10M
savings
65. • First true Cloud IAM service
• Full suite of IAM features (SSO, provisioning, analytics)
• Bridges existing user stores (AD / LDAP) to the cloud
• Connects to legacy on-prem IAM software
Modern Identity
Management
Dedicated
Support
• 24 / 7 / 365 Premier Support Team
• SmartStart Professional Services Team
• Training and Education Team
Veteran
Team
“Okta is the gold standard of
companies we’ve worked with.”
“Okta makes our problems their
own and it’s why we can rely on
them to make us successful.”
66. What We Covered
okta confidential 66
• Significant server costs
• Setup and configuration efforts
• Ongoing maintenance costs
• No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support
• No provisioning
• No reporting
• No native mobile apps
AD FS is Not A Complete Solution
67. AD FS
• 100% Multi-Tenant, Fully Managed
• Always On
• Features and Capacity On Demand
• No changes required to AD infrastructure
Cloud Service,
Built in HA
• You install, configure & manage
• Redundancy for HA = more HW
• Must maintain as apps change
• Control who has access to which app
• Easily map different username formats
• Quickly import, match, rollout
Access Management
• Create & manage custom attributes
• Every app may require changes
• No concept of user import, matching
User Provisioning,
De-Provisioning
• Easily add/remove users and access
• Drive directly from AD, security groups
• Pre-integrated with your applications
• None
Logging & Reporting
• Better visibility into access and usage
• Easy to access from Okta admin UI
• None
Application Integrations
• 1,500+ Pre-integrated apps
• No engineering to configure, maintain
• SSO with any app, not just SAML
• User Mgmt integrations
• You build, maintain every integration
• Only supports SAML, WS-*
• Only single sign-on
okta confidential 67
68. - Download the AD FS whitepaper
- Start a free trial of Okta for unlimited apps
- Use Okta for free for one app
Getting Started with Okta
okta confidential 68
70. ADFS Terminology
okta confidential 70
AD
FS
2.0
term
Defini>on
AD
FS
2.0
configura9on
database
A
database
used
to
store
all
configura9on
data
that
represents
a
single
AD
FS
2.0
instance
or
Federa9on
Service.
This
configura9on
data
can
be
stored
using
the
Windows
Internal
Database
(WID)
feature
included
with
Windows
Server
2008
and
Windows
Server
2008
R2
or
using
a
MicrosoS
SQL
Server
database.
Claim
A
statement
that
one
subject
makes
about
itself
or
another
subject.
For
example,
the
statement
can
be
about
a
name,
email,
group,
privilege,
or
capability.
Claims
have
a
provider
that
issues
them
and
they
are
given
one
or
more
values.
They
are
also
defined
by
a
claim
value
type
and,
possibly,
associated
metadata.
Federa9on
Service
A
logical
instance
of
AD
FS
2.0.
A
Federa9on
Service
can
be
deployed
as
a
standalone
federa9on
server
or
as
a
load-‐balanced
federa9on
server
farm.
You
can
configure
the
name
of
the
Federa9on
Service
using
the
AD
FS
2.0
Management
snap-‐in.
The
DNS
name
of
the
Federa9on
Service
must
be
used
in
the
Subject
name
of
the
Secure
Sockets
Layer
(SSL)
cer9ficate.
Federa9on
server
A
computer
running
Windows
Server
2008
or
Windows
Server
2008
R2
that
has
been
configured
to
act
in
the
federa9on
server
role.
A
federa9on
server
serves
as
part
of
a
Federa9on
Service
that
can
issue,
manage,
and
validate
requests
for
security
tokens
and
iden9ty
management.
Security
tokens
consist
of
a
collec9on
of
claims,
such
as
a
user's
name
or
role.
Source: technet.microsoft.com
71. ADFS Terminology - continued
okta confidential 71
AD
FS
2.0
term
Defini>on
Federa9on
server
farm
Two
or
more
federa9on
servers
in
the
same
network
that
are
configured
to
act
as
one
Federa9on
Service
instance.
Federa9on
server
proxy
A
computer
running
Windows
Server
2008
or
Windows
Server
2008
R2
that
has
been
configured
to
act
as
an
intermediary
proxy
service
between
a
client
on
the
Internet
and
a
Federa9on
Service
that
is
located
behind
a
firewall
on
a
corporate
network.
Relying
party
A
Federa9on
Service
or
applica9on
that
consumes
claims
in
a
par9cular
transac9on.
Relying
party
trust
In
the
AD
FS
2.0
Management
snap-‐in,
a
relying
party
trust
is
a
trust
object
that
is
created
to
maintain
the
rela9onship
with
another
Federa9on
Service,
applica9on,
or
service
(in
this
case
with
Google
Apps
or
Salesforce.com)
that
consumes
claims
from
your
organiza9on’s
Federa9on
Service.
Network
load
balancer
A
dedicated
applica9on
(such
as
Network
Load
Balancing)
or
hardware
device
(such
as
a
mul9layer
switch)
used
to
provide
fault
tolerance,
high
availability,
and
load
balancing
across
mul9ple
nodes.
For
AD
FS
2.0,
the
cluster
DNS
name
that
you
create
using
this
NLB
must
match
the
Federa9on
Service
name
that
you
specified
when
you
deployed
your
first
federa9on
server
in
your
farm.
Source: technet.microsoft.com
72. Summary – ADFS Pros and Cons
okta confidential 72
• Just a Windows Server Role
• Flexible SAML, WS-FED solution
• Tight AD integration
Pros
• Difficult to configure
• Difficult to make production ready
• Limited application coverage
• No re-use (must set up for each app)
• No provisioning
• No reporting
• No policy controls
Cons
73. okta confidential 73
How are accounts
created?
How do users
authenticate?
How does IT manage
these accounts?
How are accounts
de-provisioned?
Solution: Connect AD to the Cloud