Why Choose Okta vs. ADFS?
You’re moving to Microsoft 365 (formerly known as Office 365) from your existing on-premises solution and you want to minimize impact on users while keeping a strong security posture. This usually means leveraging single sign-on (SSO) and multi-factor authentication (MFA). You also want authentication directly tied back to existing user accounts in Active Directory to minimize disruption while users move to the cloud. Maybe it seems obvious to consider Microsoft ADFS for SSO with a user’s AD account—no need to reenter a password to access Microsoft 365, and any user logged into their AD domain will get right in. And all authentication happens directly against your on-premises Active Directory. Sounds great, right?
Unfortunately ADFS was designed for the old world of on-premises-first IT solutions. IT professionals today are looking to the cloud for SSO and MFA. Okta is the industry-leading cloud alternative to ADFS. Here are the top three reasons to use Okta instead of Microsoft ADFS.
Low Total Cost of Ownership
IT solutions are moving to the cloud because of lower cost of ownership. Skip running on-premises infrastructure, and you’ll spend a lot less money on hardware and maintenance. And you’ll also reduce time and resources ensuring you are on the latest software versions. Consider these costs, the minimum for a company regardless of size, to implement ADFS servers for high availability and access outside the firewall:
| Item | Cost |
|---|---|
|
Hardware (4 servers minimum) |
$20K |
|
Initial configuration and setup |
$50K |
|
Integration to Office 365 |
$20K |
|
Total year-one implementation cost |
$110K |
|
Hardware maintenance |
$3K/year |
|
Updates to OS, certificates, software patches |
$10K/year |
|
Total Yearly Maintenance Cost |
$13K/year |
ADFS requires not just multiple servers, but also duplicate environments for staging and testing. Don’t forget you’ll typically need load balancers fronting your ADFS servers if you want to ensure high availability. These costs increase with additional integrations, including ongoing hardware maintenance costs ranging from 200-1,000+ hours per year as servers, integrations and complexity grow. And the environment gets even more complicated if you are attempting to allow B2B access for partners and vendors.
Okta’s innovation surpasses ADFS in connecting the cloud back to Active Directory for user provisioning and delegated authentication. With a modern, lightweight agent architecture, Okta supports your existing on-premises directories with the existing Windows machines you’ve already deployed. There’s no need for dedicated servers and no firewall changes. High availability is simple—just install multiple Okta AD agents across servers inside your Active Directory domain, and Okta automatically handles load balancing and failover.
Do you have multiple disconnected Active Directory forests? Not a problem with Okta. There’s no need for expensive domain consolidation or complex corporate network connectivity. Just deploy a few Okta agents in each network where the domains and forests live, and you can connect many Active Directory environments in a matter of hours.
With Okta’s lightweight agent, you minimize your on-premises footprint as you move to the cloud. Zero servers and on-premises software to deploy, update, and manage means lower TCO.
Faster Deployment
It can take months to properly and securely configure ADFS for federation of Microsoft 365 to your Active Directory. ADFS is not user- or IT-administrator-friendly, and requires complex configuration that must be version controlled and heavily tested. IT professionals are often wary of making changes once ADFS is fully deployed, slowing down updates that reflect changes in your business. If your Active Directory domains are not connected, you’ll have to deploy multiple ADFS environments, further complicating and extending the timeline to your cloud migration. Also, ADFS only handles authentication, so you must also deploy other Microsoft software to provision and synchronize identities into your Microsoft 365 tenant. Depending on the complexity of your environment, this additional software can double the time to fully migrate your users to Microsoft 365.
In comparison, Okta can be connected to your on-prem Active Directory and set up for your Microsoft 365 tenant in less than an hour, and it’s built to be secure, with zero impact to your administrators. Adobe deployed Okta for Microsoft 365 for 25,000 employees and went live in three weeks. Seton Hall University went live with Okta and Microsoft 365 for 32,000 staff and students within four weeks.
Solves Complex Active Directory or Microsoft 365 Environments
Has your Active Directory environment become complex over time? Has your IT department inherited multiple AD forests and domains? Are username formats different across domains? Are you trying to standardize on a single email domain as part of your Microsoft 365 migration?
These sorts of challenges can be complex to solve with ADFS and the Azure AD Connect/Microsoft Identity Manager tools provided by Microsoft. However, these tools come at the cost of extra on-premises servers and increased long term maintenance of legacy tools. The more complexity in your environment, the greater the costs and timeframes the Microsoft tools will incur.
When Okta looked at these challenges, we decided to totally reinvent how to connect legacy directories like Active Directory to the cloud. A single Okta tenant can be used for multiple Active Directory domains all into a single Microsoft 365 tenant. Okta customers have connected over 100 (yes, this isn’t a typo) Active Directory domains to the cloud. This level of connectivity would be cost prohibitive with ADFS.
Because Okta can connect Active Directory quickly and securely, you can avoid having to do expensive and difficult Active Directory cleanup projects. You can leave the messy, legacy schema and username choices alone and let Okta clean up the data as it is synchronized with the Okta Universal Directory. Using a powerful expression language and intuitive IT admin processes, Okta accommodates all the nuances of your aging Active Directory accounts. Using Okta can actually accelerate your Microsoft 365 migration timeline.
Make Identity More Powerful in the Cloud
When looking at your existing IT requirements, and deciding where you’ll save the most by migrating services to the cloud, identity is a clear winner. Nothing is more important to your business than ensuring employees have timely and secure access to the resources they need to do work. More and more of these resources are delivered as software as a service (SaaS) in the cloud, and more employees are working remotely from non-corporate devices. Allowing access to these applications from anywhere is critical to maintaining business continuity.
Moving your identity into the cloud comes with numerous benefits. The first, as we detailed earlier, is the significant reduction in on-premises footprint. Okta only requires you install and maintain lightweight agents inside your corporate network to allow for connectivity to your existing user directories. Integrating across your IT landscape becomes as simple as searching the Okta Integration Network and following instructions. (For Microsoft 365, it’s even easier—just authenticate to Microsoft 365 and we do everything automatically).
When maintaining your own ADFS farms, you need to stay vigilant for attacks to your infrastructure, and unfailingly keeping servers, firewalls, and ADFS software all up to date to ensure no vulnerabilities can expose you. With Okta, all these worries disappear as we maintain the entire service for you. In addition, because we host so many customers on our large-scale, multi-tenant service, we learn from and address security issues at a depth and your IT team doesn’t need to work doing these costly mundane tasks.
Finally, once you’ve migrated your identities to the cloud, you can start reducing your dependency on your existing on-premises Active Directory. As applications move to the cloud, Active Directory matters less, and it’s possible to start retiring domains. Even when you have on-premises applications that may never move to the cloud, Okta has you covered. Our Okta Access Gateway provides the ability to connect cloud users back to on-premises applications.
Learn more about how you can use Okta instead of ADFS on okta.com.
About Okta
Okta is the leading independent provider of identity for the enterprise. The Okta Identity Cloud enables organizations to securely connect the right people to the right technologies at the right time. With over 6,500 pre-built integrations to applications and infrastructure providers, Okta customers can easily and securely use the best technologies for their business. Over 8,950 organizations, including JetBlue, Nordstrom, Slack, Teach for America and Twilio, trust Okta to help protect the identities of their workforces and customers. Learn more at www.okta.com.
