The Benefits of Migrating from ADFS to Okta

Many enterprises today are looking to implement a single sign-on (SSO) so their users can easily access all of their cloud and web applications without authenticating to each application individually. They conclude that the solution for single sign-on from Active Directory is Active Directory Federation Services (ADFS)—simply because they are both Microsoft products. But not all Active Directory integration solutions are created equal. IT departments should consider all aspects of implementation, including costs of setup, ongoing support, and hardware. Read this white paper to discover the hallmarks of a successful Active Directory integration and SSO deployment, and the benefits of migrating from on-premises ADFS to Okta’s comprehensive, 100% cloud-based identity and access management service.

 

Challenges of Single Sign-On Deployments

The adoption rate of cloud applications has been dramatic in recent years. Cloud applications like Salesforce.com, Box, and Office 365 are being deployed across the enterprise. As a result, many organisations have either devised policies for cloud applications or are looking to do so in the near future.

Many enterprises today are looking to implement a single sign-on (SSO) so their users can easily access all of their cloud and web applications without authenticating to each application individually. They want to connect all of their cloud applications back to a single source of truth, which in many cases is Microsoft Active Directory. Many companies conclude that the solution for single sign-on from Active Directory is Active Directory Federation Services (ADFS)—simply because they are both Microsoft products.

But not all Active Directory integration solutions are created equal. IT departments considering ADFS should examine all aspects of implementing it for SSO. While the license for ADFS is free, there are several hidden costs associated with ADFS such as setup, ongoing support, and hardware. They should also consider what constitutes a complete identity management solution, including provisioning, contextual access management for mobile devices, centralised reporting and pre-integrated support for the thousands of applications that today’s companies are using.

This white paper will discuss the hallmarks of a successful Active Directory integration and SSO deployment, and will highlight the benefits of migrating from on-premises ADFS to Okta’s comprehensive, 100% cloud-based service.

Key Elements of a Successful SSO Solution

There are many things to consider when investigating how to implement single sign-on. It is helpful to focus on a few key elements to ensure success. Many of these elements may seem to be insignificant at first, but can become major frustrations later on as companies grow and adopt more applications.​

Active Directory Integration
If your organisation uses Active Directory, your SSO solution must let you leverage that investment, and keep cloud applications that support SSO synchronised with Active Directory.

Application Integrations and Support
The ability to support all of your applications, both today and in the future, should always be considered when looking at a company-wide solution. There may be one or two cloud applications to integrate today, but what is your company’s longer-term strategy? As your applications scale, they may have different configuration requirements that change over time, requiring an IT admin to stay on top of individual apps. The labour and setup associated with each application can become a drain on both employees and IT budgets.

High Availability 
Any downtime associated with your SSO deployment means downtime for your users. This downtime may be planned, but it may also be unexpected. An SSO service and associated support must be agile enough to remain up and running, even when the provider changes application configurations. Any downtime—whether caused by your servers or changes to the application—lowers productivity for end users and the business as a whole.

Provisioning of Users and Cloud Apps
Provisioning entails creating, updating, and removing access to an application or other resources. On average, it takes an IT admin 30 minutes to process each provisioning or deprovisioning request. And that doesn’t include all of the help desk calls for password resets and configuring employees on all their devices. By automating provisioning and user lifecycle management, management can save IT and other departments’ valuable time and unnecessary frustration.

Contextual Access Management with Mobile Devices
Mobile might be the next thing to propel your team to new levels of productivity, but solving the security question is holding you back. Your SSO solution should integrate with whatever mobile device management (MDM) solution you already use. It should be configurable with policies to prevent unmanaged devices from accessing your applications and data. And it should also support multi-factor authentication using mobile devices and other factors, to increase security.

Efficient Domain Consolidation
When mergers and acquisitions bring different companies and their resources together, consolidating domains, tools, and approaches to security can be a challenge. A modern, cloud-based approach to SSO can speed up and simplify this process.

Logging and Reporting
Many regulatory agencies (e.g. SOX, HIPAA) require audit trails for users, including visibility into what applications and systems employees have (or had) access to. IT departments need to provide details around application deprovisioning for departing employees. The ideal SSO solution should be able to gather usage information for IT admins to quickly meet necessary company and industry reporting requirements.

Using Active Directory Federation Services as an SSO Solution

Customers look to Microsoft Active Directory Federation Services (ADFS) to extend identity from Active Directory to cloud applications outside of the firewall. ADFS is a “free” solution, but requires multiple hardware components, additional Microsoft software, and extensive configuration and maintenance. Organisations using ADFS for SSO face complex configuration requirements and dependency on other resources to meet the minimum requirements for an SSO solution.

ADFS Components

When considering using ADFS for SSO needs, it’s important to understand all the underlying components. Three things comprise ADFS itself: the ADFS Server, the Federation Service Proxy installed between the ADFS server farm and external applications,