Considering AD FS for SSO? Here’s What CISOs Should Know

11
[ This article was originally published here ]

CISO
As a CISO or IT professional, you may be considering Microsoft AD FS as a solution to simplify access to multiple applications. AD FS helps reduce the log on burden for end users by providing single sign on to applications or cloud services in an organization. However, AD FS may not ultimately be sufficient for all your SSO and Cloud Access Management needs. In this regard, there are several points that CISOs may want to take into account when assessing the optimal solution for their access management needs.

#1 Cost
How do you calculate the total hard and soft costs of a solution?
You can download AD FS free of charge as a toolkit in the Windows Server Operating System, and it can be a convenient first attempt at Single Sign On. However AD FS comprises both hard and soft costs including license fees and infrastructure vs. investment in time and personnel for ongoing operations. Unlike AD FS, which is an on-premises solution, a Cloud SSO service eliminates costs relating to initial and ongoing infrastructure investments as well as costs relating to hardware and software compatibility, high availability, redundancy and security patching.

#2 (Limited) Automation of SSO administration
What workflow automation does it offer for integrating new apps?
The more manual and unfriendly the UI of a solution, the more time consuming and complex it’ll be for the solution administrator to set up and maintain the service. If you have the time to spare, AD FS may be your answer. However, note that with AD FS, claims rules need to be manually defined for each application set up as a relying party trust.

#3 Supported 2FA methods
Multi-factor authentication is a key component in SSO and Access Management and helps enable trust elevation, conditional access and appropriate risk mitigation for various access scenarios. AD FS authenticates using Windows credentials (username and password). Multi-factor solutions such as OTP Push, OTP apps and PKI-based smart cards would have to be purchased and integrated separately.

#4 SLA and Redundancy
Cloud-based access management services may offer a higher uptime for SSO, MFA and access management solutions then your own in-house team. In contrast, on-premises solutions may offer lower uptime due to potential operational issues, expensive and time-consuming updates, maintenance and on-site troubleshooting. When considering this aspect, note that AD FS requires two additional servers for high availability on top of the AD FS server and AD FS proxy, and one DirSync server for connecting to Office 365.

#5 Regular SSO vs. Smart SSO
Microsoft AD FS provides basic single sign on capabilities for cloud and web-based apps with the use of static passwords. While basic SSO simplifies the user experience, it also poses a security risk: If the credentials (user name and password) used universally to log into all apps is stolen or compromised – all apps will inevitably be at risk. The way to overcome the general challenge of a buffet style SSO solution is to use a cloud access management solution that offers Smart SSO. Smart SSO implements conditional access as defined by the access policy, and requires step up to stronger methods of authentication only when needed

Discover where Gemalto SafeNet Trusted Access can complement or substitute Microsoft AD FS to best meet your business and security needs. Watch How to Set up an Identity Provider for Single Sign-On in Minutes, or download the White Paper: Before you Choose AD FS: 5 Considerations in Assessing an SSO Solution.