Single Sign-On (SSO) can be achieved in multiple ways. In this blog, I will go over some of the most popular ways to achieve SSO. The four most popular ways users typically use SSO are: Active Directory Federation Services (ADFS), DirSync (with Password Sync), Forefront Identity Manager (FIM) and Enterprise Mobility Suite (EMS). As with most things in life, there certain advantages and disadvantages to each of these and usually there are one or two options that fit each need the best. Today, I will give a brief description and provide you with some of the benefits and drawbacks to each solution.
ADFS with federated login provides, what is referred to as, true Single Sign-On with Office 365. I point this out because, other SSO options, like DirSync with Password Sync, only provides Same Sign-on. Same Sign-On means that the user will be prompted to re-enter their credentials when accessing Office 365, even if they have the same credentials.
DirSync with Password Sync
As mentioned above, DirSync with Password Sync provides Same Sign-On - where the user must re-enter their credentials even if they are the same. Since ADFS is not deployed in this scenario, DirSync is responsible for periodically synchronizing user profiles to Office 365; thus, there is no need to manually create users in the cloud directory.
ForeFront Identity Manager (FIM), also known as Microsoft Identity Manager, uses Microsoft Enterprise Single Sign-On (ESSO) to provide an encrypted store for secondary credentials that a user may have to present to an application in order to be authenticated and authorized by that application. Additionally, FIM helps your organization ensure users have appropriate access to corporate information regardless of where that information is located—in your datacenter or in the cloud. FIM does this by providing self-service identity management, automated lifecycle management across heterogeneous platforms, rich policy framework for enforcing security policies, and detailed audit capabilities.
Microsoft’s Enterprise Mobility Suite (EMS) centrally manages identities across your datacenter and the cloud, providing secure single sign-on to all of your applications. This is a cloud-based identity and access management solution on Azure Active Directory.
|Active Directory Federation Services||• Users logged in to a domain-joined machine do not have to re-enter their password when signing in to Office 365|
• Allows for Client Access Filtering (good for limiting access by remote or off-hour users)
• No password hashes are synched to the cloud; all authentication is managed on-premises
• Immediately block user access (i.e. when users leave the company)
• Support for multi-factor authentication
|• Additional infrastructure required|
• Multiple points of failure
• SSL Certificate from a public CA is needed and requires renewal
|DirSync with Password Sync||• Easier and faster to implement and configure|
• Secure password hash-sync feature so that users don't have to enter a separate password
|• Automatic DirSync syncs occur every three hours; possible security-access issues|
• Does not provide true "Single Sign On"
|Forefront Identity Manager||• End-User password reset|
• Common identity between applications and heterogeneous platforms
|• Custom solution - often complex and costly|
• Additional infrastructure required; ADFS is no longer required - can use Azure AD Sync Services
|Enterprise Mobility Suite|
• Create and manage a single-identity across your hybrid enterprise keeping users, groups and devices in sync
• Enable application-access security by enforcing rules-based Multi-Factor Authentication for both on-premises and cloud applications
• Self-service password reset and application access requests
• Secure remote access to on-premises web apps
• Greater security for mobile devices
• Highly available
|• Cost of individual options with the Enterprise Mobility Suite|