Implementing Single Sign On

22 Aug 2015 09:37 AM By Gary Bromley

Things, as in the Internet of Things, are looking up for organisations who are trying to extend their employees’ federated access to Office 365 and other cloud based services such as Box, Google, and Salesforce etc. 

Microsoft offers ADFS as a means to federate user access across systems and applications across the domains inside and outside of the firewall.

Although the ADFS solution works, it is commonly reported that it is rather complex to set up and it has a large infrastructure footprint, as it requires setting up an “AD Server Farm” that is hosted on dedicated servers behind the firewall, as well as a set of proxy servers in the DMZ. The number of servers required multiplies, depending on the number of users and domains across the organisation, and there is also an impact on the non-functional requirements such as high availability and fail-over.

When it comes to the total cost of ownership, the cost and complexity of an ADFS based solution grows significantly over time. As more web applications are added to the solution, the amount of customization effort required for integration increases and this effort is costly. Typical operating expenses include the purchase of separate certificates for each server from a Certification Authority. Each certificate then must be managed and renewed in time to maintain operational continuity.

Furthermore, the 365Command reports that “ADFS keeps a dependency on the integrity and availability of systems within the on-premises environment in order to sustain connectivity/communication with your email/messaging environment. “

So how then are “Things” looking up?

IDaaS is the answer. For example Okta offers a simple to deploy and low cost cloud based solution to allow users to seamlessly access (i.e. without being prompted for their credentials multiple times) and work with their Office applications and Office 365 from their desktop, smart phones and other mobile devices.

The solution uses an Okta agent, running on a webserver behind the firewall with read only access to Active Directory (AD). Conveniently, the AD agent does not require any changes to firewall. In addition to providing federated access, Okta automates user provisioning and profile synchronisation between AD and Office 365. This means that new users are created in AD, applications are provisioned, accounts are created and profiles are synchronised all using the same AD agent and Okta service. As a result, the end users can experience seamless and consistent access to web applications in their home page.

This is not quite the case with ADFS and DirSync based solutions, as both access federation and user profiling will require their respective solution environments. DirSync for Office 365 is an application deployed on premise and it is used for synchronisation of add, delete and modification operations performed on users, groups and accounts in AD to Office 365. DirSync currently only works for single domain.

The good news is that implementing cloud based Single Sign On solution using open standards puts information security access control on side with business agility and productivity.