For over a decade, Microsoft has offered ADFS as the answer to extending enterprise identity beyond the firewall. And thousands of organizations still deploy and use it – a fact that's left many puzzled (ourselves included). In the age of cloud services, massive innovation cycles and more choices than ever, why aren't ADFS' days numbered?
We took it upon ourselves to speak with others in the industry and examine why.
It's a Popular Choice: Today, upwards of 90 percent of organizations still use Active Directory. Even as those businesses transition to cloud or hybrid environments, many use ADFS to ensure authentication will tie back directly to existing policies and user status managed in AD. But as many have learned, just because it's a popular choice, doesn't mean it's a good one – nor the best one for your business. For example, as Post Holdings first moved to the cloud and Office 365, it took the "traditional approach" of using DirSync and ADFS with the promise of a seamless transition away from on-prem. However, Post Holdings had also just completed a series of rapid acquisitions, and quickly ran into the challenge of onboarding and managing hundreds of new users. "We had to look elsewhere to help us manage the problem," noted Larry Woods, infrastructure solutions architect at Post Holdings.
It's Scalable: ADFS has a scalable architecture that allows you to add more servers, with load balancers, to handle more authentications. Add more servers, and you can also configure high availability. This enables ADFS to handle thousands of users, attracting large organizations and ones that plan to grow. This benefit of ADFS can be a heavy burden. All those servers add up to a lot of software to deploy and manage and keep up to date over time. Bazaarvoice's Justin Reneau explained, "Our first ADFS outage made us quickly learn a lot about what we didn't want to learn about. It's a platform that has a lot of scalability constraints and requires a large amount of wasted time troubleshooting issues."
It's User-Friendly: Many say ADFS helps create a seamless end user experience. Once logged into their AD domain with a single username and password, employees get right into all corporate on-premises and cloud apps from their desktops. But that's only when the system is up and running properly. Many companies don't have the resources or expertise to implement ADFS without skipping critical steps. This leads to constant downtime risks – the ultimate user buzzkill. As Jeff Janovich, Microsoft software analyst at Carlisle Construction Materials, has noted, "As we tried to move our internal user data, we realized that ADFS was not the right solution because of the significant amount of resources required to properly run it."
It's Free: Technically, ADFS is free, with no additional licensing charges if you're already paying for Windows Server 2012. For businesses that don't want to purchase yet another federation product, ADFS seems to make financial sense. However, many Okta customers have shared that setting up on-premises SSO servers for high availability and access outside the firewall has several costs to consider:
It's Fast: Even if you can minimize the cost of deploying all those servers for scale and high availability, there's another a big opportunity cost: the time it can take to get things up and running. Among Okta customers, we've found that can take six months or more to properly and securely configure ADFS for federation of Office 365 back to Active Directory. Okta can be connected to your on-prem Active Directory and set up for your Office 365 tenant in less than an hour and is built to be secure without any work on your part. For instance, Adobe was able to deploy Okta for Office 365 for 25,000 employees within three weeks.
While ADFS, when properly configured and maintained, provides a secure, integrated user experience for connecting AD to the cloud, it also presents many maintenance challenges for IT – not to mention an often significant obstacle for organizations, including Seton Hall University, as they attempt to migrate to cloud services like Office 365.
For now, it appears ADFS is far from dead. But as we've said before, the more you investigate ADFS, the more you might be interested in our favorite alternative: Okta.