Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)

Agenda
-  Trends in IT à How They Affect Identity
-  AD FS Overview, Costs, and Shortcomings
-  Okta’s Approach to AD Integration
-  Q&A
okta confidential 2

What We’ll Show Today
okta confidential 3
•  Significant server costs
•  Setup and configuration efforts
•  Ongoing maintenance costs
•  No repeatability
•  more apps = more costs
AD FS is Not Free
•  Limited app support
•  No provisioning
•  No reporting
•  No native mobile apps
AD FS is Not A Complete Solution

Applications
Devices
People
Identity

Applications
Devices
People
+
Custom,
+
Cloud,
+
Mobile

Applications Devices
People
+
iPhone,
Android,
+
iPad

+
Remote,
+
Partners,
+
Customers

Identity

Pain for IT
Time consuming
user provisioning

•  Service
•  Enterprise Grade
•  Integrated
•  Future Proof
•  Easy to Use
“Cloud
IAM
Has
Superior
ROI”

“Cloud
IAM
is
the
best
op9on;
310%
ROI
over
manual

processes,
90%
reduc9on
of
opera9ons
vs.
on-‐prem
solu9ons.”

“By the end of 2015, IDaaS will account
for 40% of all new IAM sales”

•  HW, SW, Infrastructure
•  Services Intense
•  Connector Treadmill
•  Forklift Upgrades
AD
FS
2.0

AD FS Overview
okta confidential 11

Your Network
Firewall
Internet
Active
Directory
User
storeUser
store
On-prem Apps
What to
Use Here?
How to connect these cloud apps
to Active Directory?

AD FS – High Level
15
Source: technet.microsoft.com

AD FS – High Level
Server Farm?

Step 1: Deploy Your Federation Server Farm
-  Dedicated servers behind
your corporate network
-  Double server count for HA

Step 2: Deploy Your Federation Server Proxies
-  Dedicated proxy servers in
your DMZ (!)
-  Double server count for HA

How Many Servers are We Talking About?
Number of users accessing
the cloud service
Minimum number of servers to deploy
1,000 to 15,000 users
2 dedicated federation servers
+
2 dedicated federation server proxies
15,000 to 60,000 users
Between 3 and 5 dedicated federation servers
+
At least 2 dedicated federation server proxies
4-7 dedicated servers for one cloud application
Half of these are deployed in your DMZ

…we’re not done
Even more servers to run the database that
holds configuration

SQL Servers added to the mix…

Don’t forget your Certificates
Certificate type
Token-signing certificate
Service communication certificate
Token-decryption certificate
Separate certificates for each server
Must be purchased from a CA
Must be managed and renewed

The true costs of AD FS…
Year One Year Two Year Three Total
Support &
Maintenance
Setup (Time) +
Hardware Costs
$25k - $50k
for first app

Year One Year Two Year Three Total
…are costs that grow over time
More apps = more cost

Example: Office365
Source: perficient.com/Partners/Microsoft

Source: perficient.com/Partners/Microsoft

Source: blog.force365.com/salesforce-sso-with-adfs-2-0/
Example:

AD Integration with Okta – 30 minutes or less
Download AD Agent,
Install on Windows Machine
1
Configure Agent:
Directory Location, Credentials
3
Configure
import rules
4
Internet Firewall Your Network
AD Domain
Controller
Okta Agent
https://yourcompany.okta.com
2
•  Enter Okta URL and credentials
•  HTTPS from company to Okta
•  No firewall configuration necessary

It’s Not Just About Cost
AD FS is Not Free
•  No reporting

Okta Overview
Enterprise Identity, Delivered

All Your Devices
All Your People
Desktop, Laptops,
Tablets, Smartphones,
Employees, Customers,
Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP

Mobile
On Prem
Cloud
On Prem Identity
LDAP
All Your Devices
All Your People
Desktop, Laptops,

Okta Powered Customer & Partners Portals
Manage identities outside your firewall
Customers
Partners
Cloud Apps
On Premise Apps
Porta
l
Username
Password

Active Directory Integration with Okta
Remote users authenticate with
AD username and password
1 Local users transparently authenticate
using Integrated Windows Authentication
2
Access policies driven
by AD security groups
3
Remote/Mobile
Employees
Active
Directory
Employees
Okta Agent(s)
Group
Sales
Firewall

Active Directory Integration with Okta
Remote users authenticate with
AD username and password
1 Local users transparently authenticate
using Integrated Windows Authentication
2
Access policies driven
by AD security groups
3
Remote/Mobile
Employees
Active
Directory
Employees
Okta Agent(s)
Group
Sales
Firewall• Simple agent install, no network configuration required
• Multiple agents supported for High Availability
Easy to Use,
Just Works
• Real-time Synchronization with AD (no scheduled imports needed)
• Automatic De-Activation in Okta of Disabled/Deleted Users
• Delegate Authentication for Okta to AD
Broad
Functionality
• Integration into Windows Desktop Login
Tight Windows
Integration

Setting Up AD Integration with Okta
Download AD Agent,
Install on Windows Machine
1
Configure Agent:
Directory Location, Credentials
3
Configure
import rules
4
AD Domain
Controller
Okta Agent
2
•  Enter Okta URL and credentials
•  HTTPS from company to Okta
•  No firewall configuration necessary

Real Time AD User Synchronization
AD Domain
Controller
Okta Agent
(On Windows Server)
3
Users provisioned, de-provisioned, application
assignments based on security group membership
AD Agent dynamically looks for changes in
AD, makes HTTPS connection to Okta
1 Okta gets real time updates, makes
user and group changes as needed
2

Delegated Authentication to AD
AD Domain
Controller
Okta Agent
(On Windows Server)
User logs into https://yourcompany.okta.com
using Okta username & AD password
1 Okta communicates to AD Agent via persistent
connection to validate credentials
2
Agent responds with
success or failure
3 Okta returns Cloud App homepage
(success) or failure message
4
Inside/Outside Network

Desktop SSO
Firewall
2
1
AD Domain
Controller
Get To Cloud Apps with NO Login Page
•  User logs on to domain
•  Can then access Cloud apps with no additional login
Secure: Uses Integrated Windows
Authentication (Kerberos)
Easy to deploy: Leverages light
weight agent running under IISOkta IWA
Agent

User Provisioning with Active Directory
New employees
created in Active
Directory
1
Applications provisioned
centrally through Okta
2
Okta login using AD credentials.
Immediate SSO Access to Apps
3
AD Domain
ControllerOkta Agent
Firewall

All Your Devices
All Your People
Desktop, Laptops,
Mobile
On Prem
Cloud
On Prem Identity
LDAP
Increase Productivity
Reduce IT Costs
Strengthen Security

3,300 users | 100 apps
“Cloud IAM is the best option, providing
310% ROI over manual processes”
- Forrester Research, October 2012
> $10M
savings

Okta was named a Leader (highest ranking)

•  First true Cloud IAM service
•  Full suite of IAM features (SSO, provisioning, analytics)
•  Bridges existing user stores (AD / LDAP) to the cloud
•  Connects to legacy on-prem IAM software
Modern Identity
Management
Dedicated
Support
•  24 / 7 / 365 Premier Support Team
•  SmartStart Professional Services Team
•  Training and Education Team
Veteran
Team
“Okta is the gold standard of
companies we’ve worked with.”
“Okta makes our problems their
own and it’s why we can rely on
them to make us successful.”

What We Covered
AD FS is Not Free
•  No reporting

AD FS
•  100% Multi-Tenant, Fully Managed
•  Always On
•  Features and Capacity On Demand
•  No changes required to AD infrastructure
Cloud Service,
Built in HA
•  You install, configure & manage
•  Redundancy for HA = more HW
•  Must maintain as apps change
•  Control who has access to which app
•  Easily map different username formats
•  Quickly import, match, rollout
Access Management
•  Create & manage custom attributes
•  Every app may require changes
•  No concept of user import, matching
User Provisioning,
De-Provisioning
•  Easily add/remove users and access
•  Drive directly from AD, security groups
•  Pre-integrated with your applications
•  None
Logging & Reporting
•  Better visibility into access and usage
•  Easy to access from Okta admin UI
•  None
Application Integrations
•  1,500+ Pre-integrated apps
•  No engineering to configure, maintain
•  SSO with any app, not just SAML
•  User Mgmt integrations
•  You build, maintain every integration
•  Only supports SAML, WS-*
•  Only single sign-on

-  Download the AD FS whitepaper
-  Start a free trial of Okta for unlimited apps
-  Use Okta for free for one app
Getting Started with Okta

okta.com/free

ADFS Terminology
AD
FS
2.0
term
Defini>on

AD
FS
2.0
configura9on

database

A
database
used
to
store
all
configura9on
data
that
represents
a
single
AD
FS
2.0
instance
or
Federa9on

Service.
This
configura9on
data
can
be
stored
using
the
Windows
Internal
Database
(WID)
feature

included
with
Windows
Server
2008
and
Windows
Server
2008
R2
or
using
a
MicrosoS
SQL
Server

database.

Claim

A
statement
that
one
subject
makes
about
itself
or
another
subject.
For
example,
the
statement
can
be

about
a
name,
email,
group,
privilege,
or
capability.
Claims
have
a
provider
that
issues
them
and
they
are

given
one
or
more
values.
They
are
also
defined
by
a
claim
value
type
and,
possibly,
associated

metadata.

Federa9on
Service

A
logical
instance
of
AD
FS
2.0.
A
Federa9on
Service
can
be
deployed
as
a
standalone
federa9on
server

or
as
a
load-‐balanced
federa9on
server
farm.
You
can
configure
the
name
of
the
Federa9on
Service
using

the
AD
FS
2.0
Management
snap-‐in.
The
DNS
name
of
the
Federa9on
Service
must
be
used
in
the
Subject

name
of
the
Secure
Sockets
Layer
(SSL)
cer9ficate.

Federa9on
server

A
computer
running
Windows
Server
2008
or
Windows
Server
2008
R2
that
has
been
configured
to
act
in

the
federa9on
server
role.
A
federa9on
server
serves
as
part
of
a
Federa9on
Service
that
can
issue,

manage,
and
validate
requests
for
security
tokens
and
iden9ty
management.
Security
tokens
consist
of
a

collec9on
of
claims,
such
as
a
user's
name
or
role.


ADFS Terminology - continued
AD
FS
2.0
term
Defini>on

Federa9on
server
farm

Two
or
more
federa9on
servers
in
the
same
network
that
are
configured
to
act
as
one
Federa9on

Service
instance.

Federa9on
server
proxy

A
computer
running
Windows
Server
2008
or
Windows
Server
2008
R2
that
has
been
configured
to
act

as
an
intermediary
proxy
service
between
a
client
on
the
Internet
and
a
Federa9on
Service
that
is

located
behind
a
firewall
on
a
corporate
network.

Relying
party
A
Federa9on
Service
or
applica9on
that
consumes
claims
in
a
par9cular
transac9on.

Relying
party
trust

In
the
AD
FS
2.0
Management
snap-‐in,
a
relying
party
trust
is
a
trust
object
that
is
created
to
maintain

the
rela9onship
with
another
Federa9on
Service,
applica9on,
or
service
(in
this
case
with
Google
Apps

or
Salesforce.com)
that
consumes
claims
from
your
organiza9on’s
Federa9on
Service.

Network
load
balancer

A
dedicated
applica9on
(such
as
Network
Load
Balancing)
or
hardware
device
(such
as
a
mul9layer

switch)
used
to
provide
fault
tolerance,
high
availability,
and
load
balancing
across
mul9ple
nodes.
For

AD
FS
2.0,
the
cluster
DNS
name
that
you
create
using
this
NLB
must
match
the
Federa9on
Service

name
that
you
specified
when
you
deployed
your
first
federa9on
server
in
your
farm.


Summary – ADFS Pros and Cons
•  Just a Windows Server Role
•  Flexible SAML, WS-FED solution
•  Tight AD integration
Pros
•  Difficult to configure
•  Difficult to make production ready
•  Limited application coverage
•  No re-use (must set up for each app)
•  No reporting
•  No policy controls
Cons

How are accounts
created?
How do users
authenticate?
How does IT manage
these accounts?
How are accounts
de-provisioned?
Solution: Connect AD to the Cloud

Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (18)

Ähnlich wie Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)

Ähnlich wie Avoiding the Hidden Costs of Active Directory Federation Services (AD FS) (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)