For nearly a decade now, enterprise customers using Active Directory Federated Server (AD FS) for Office365 user authentication have needed on-premise servers, (normally 4 servers), to deliver a solution. As many of you will already know, at one stage this was the only way to deliver Single Sign On (SSO). However, with the increasing need for seamless SSO to cloud-based applications, organisations are now looking for alternative authentication solutions, that are not reliant on federated identity or tied to an on-premises Active Directory, with all the associated costs.
Is it time to look at an Azure SSO and Pass Through Agent (PTA) alternative?
PTA is relatively new and brought together the ability to sign-on to Office 365 over the internet, with the authentication request sent to an AD domain controller. The sign-on form in Azure is completed by the user but the ID and password are still validated by AD, after passing through the Azure AD Connect server.
As a result, with Azure SSO and PTA, Microsoft have also developed a new “seamless single sign-on”, which allows Azure to accept a Kerberos ticket for the authentication- Meaning that a user who signs in on-premise and then tries to access Office 365, can be authenticated with the Kerberos token, for a simple and secure solution with less infrastructure.
Making the decision
So, Azure Seamless SSO and PTA removes the requirement for the ADFS infrastructure and improves the time taken to authenticate – especially useful for those looking to improve login times for cloud applications.
As we know, every organisation is different. Before you make the leap to Azure SSO, I’d recommend taking a closer look at your objectives for time. Is improving the time it takes to authenticate important to you? What about the time it takes to create the required infrastructure, to deliver the project and to maintain it? Clearly, you have to consider existing infrastructure and security concerns, but If you are looking for the ‘least deployment effort’ then a project that looks complex to manage, or expensive to run, might be good to avoid.
The team at Microsoft have done a useful article on how to move your organisation domains from Active Directory Federation Services (AD FS) to pass-through authentication. Read it here or use the following link to download it now.
Have some questions about moving from AF DS? You could start with the Microsoft FAQ’s page or get in touch and I’d be happy to share my experiences so far.