avoiding the hidden costs of active directory federation services (ad fs)
DESCRIPTION
Since its introduction with Windows Server 2008, AD FS 2.0 has been Microsoft’s answer to extending enterprise identity beyond the firewall. However, building an identity management solution with the AD FS toolkit has many hidden costs. While AD FS solves some identity challenges for Microsoft’s product family, as is typical from Microsoft, many more gaps exist when attempting to integrate with cloud or mobile applications from other vendors. Built as a single sign-on toolkit, AD FS requires a significant investment to deploy into production and still doesn’t deliver a full identity management solution. This webinar will discuss the following AD FS hidden costs as well as free alternatives that help avoid them: -Building-out missing features -Setup & configuration -Hardware & software -Availability & reliability -On-going maintenanceTRANSCRIPT
![Page 1: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/1.jpg)
Kick the AD FS Habit
![Page 2: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/2.jpg)
Agenda
- Trends in IT à How They Affect Identity - AD FS Overview, Costs, and Shortcomings - Okta’s Approach to AD Integration - Q&A
okta confidential 2
![Page 3: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/3.jpg)
What We’ll Show Today
okta confidential 3
• Significant server costs • Setup and configuration efforts • Ongoing maintenance costs • No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support • No provisioning • No reporting • No native mobile apps
AD FS is Not A Complete Solution
![Page 4: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/4.jpg)
Applications Devices
People
![Page 5: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/5.jpg)
Applications
Devices
People
Identity
![Page 6: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/6.jpg)
Applications
Devices
People
+ Custom, + Cloud, + Mobile Applications Devices
People
+ iPhone, Android, + iPad
+ Remote, + Partners, + Customers
Identity
![Page 7: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/7.jpg)
Pain for end users
![Page 8: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/8.jpg)
Pain for IT
Time consuming user provisioning
![Page 9: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/9.jpg)
? Pain for Security Team
![Page 10: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/10.jpg)
• Service • Enterprise Grade • Integrated • Future Proof • Easy to Use
“Cloud IAM Has Superior ROI”
“Cloud IAM is the best op9on; 310% ROI over manual processes, 90% reduc9on of opera9ons vs. on-‐prem solu9ons.”
“By the end of 2015, IDaaS will account for 40% of all new IAM sales”
• HW, SW, Infrastructure • Services Intense • Connector Treadmill • Forklift Upgrades
AD FS 2.0
![Page 11: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/11.jpg)
AD FS Overview
okta confidential 11
![Page 12: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/12.jpg)
okta confidential 12
Your Network
Firewall
Internet
Active Directory
User store User
store
On-prem Apps
What to Use Here?
How to connect these cloud apps to Active Directory?
![Page 13: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/13.jpg)
Source: microsoft.com
![Page 14: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/14.jpg)
Source: technet.microsoft.com
![Page 15: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/15.jpg)
AD FS – High Level
15
Source: technet.microsoft.com
okta confidential 15
![Page 16: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/16.jpg)
AD FS – High Level
Server Farm? Source: technet.microsoft.com
okta confidential 16
![Page 17: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/17.jpg)
Step 1: Deploy Your Federation Server Farm
okta confidential 17
Source: technet.microsoft.com
- Dedicated servers behind your corporate network
- Double server count for HA
![Page 18: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/18.jpg)
Step 2: Deploy Your Federation Server Proxies
okta confidential 18
Source: technet.microsoft.com
- Dedicated proxy servers in your DMZ (!)
- Double server count for HA
![Page 19: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/19.jpg)
How Many Servers are We Talking About?
okta confidential 19
Number of users accessing the cloud service Minimum number of servers to deploy
1,000 to 15,000 users 2 dedicated federation servers
+ 2 dedicated federation server proxies
15,000 to 60,000 users Between 3 and 5 dedicated federation servers
+ At least 2 dedicated federation server proxies
Source: technet.microsoft.com
4-7 dedicated servers for one cloud application Half of these are deployed in your DMZ
![Page 20: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/20.jpg)
…we’re not done
okta confidential 20
Source: technet.microsoft.com
Even more servers to run the database that holds configuration
![Page 21: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/21.jpg)
SQL Servers added to the mix…
okta confidential 21
![Page 22: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/22.jpg)
Don’t forget your Certificates
okta confidential 22
Certificate type
Token-signing certificate
Service communication certificate
Token-decryption certificate
Source: technet.microsoft.com
Separate certificates for each server Must be purchased from a CA
Must be managed and renewed
![Page 23: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/23.jpg)
The true costs of AD FS…
okta confidential 23
Year One Year Two Year Three Total
Support & Maintenance
Setup (Time) + Hardware Costs
$25k - $50k for first app
![Page 24: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/24.jpg)
Year One Year Two Year Three Total
…are costs that grow over time
okta confidential 24
More apps = more cost
![Page 25: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/25.jpg)
Example: Office365
okta confidential 25
Source: perficient.com/Partners/Microsoft
![Page 26: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/26.jpg)
okta confidential 26
Source: perficient.com/Partners/Microsoft
![Page 27: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/27.jpg)
okta confidential 27
Source: blog.force365.com/salesforce-sso-with-adfs-2-0/
Example:
![Page 28: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/28.jpg)
AD Integration with Okta – 30 minutes or less
okta confidential 28
Download AD Agent, Install on Windows Machine
1 Configure Agent:
Directory Location, Credentials
3 Configure
import rules
4
Internet Firewall Your Network
AD Domain Controller
Okta Agent https://yourcompany.okta.com
2 • Enter Okta URL and credentials • HTTPS from company to Okta • No firewall configuration necessary
![Page 29: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/29.jpg)
okta confidential 29
![Page 30: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/30.jpg)
okta confidential 30
![Page 31: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/31.jpg)
okta confidential 31
![Page 32: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/32.jpg)
okta confidential 32
![Page 33: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/33.jpg)
okta confidential 33
![Page 34: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/34.jpg)
okta confidential 34
![Page 35: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/35.jpg)
okta confidential 35
![Page 36: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/36.jpg)
okta confidential 36
![Page 37: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/37.jpg)
okta confidential 37
![Page 38: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/38.jpg)
okta confidential 38
![Page 39: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/39.jpg)
It’s Not Just About Cost
okta confidential 39
• Significant server costs • Setup and configuration efforts • Ongoing maintenance costs • No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support • No provisioning • No reporting • No native mobile apps
AD FS is Not A Complete Solution
![Page 40: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/40.jpg)
Okta Overview
Enterprise Identity, Delivered
okta confidential 40
![Page 41: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/41.jpg)
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
![Page 42: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/42.jpg)
![Page 43: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/43.jpg)
![Page 44: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/44.jpg)
![Page 45: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/45.jpg)
okta confidential 45
![Page 46: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/46.jpg)
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
![Page 47: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/47.jpg)
Mobile
On Prem
Cloud
On Prem Identity
LDAP
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
![Page 48: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/48.jpg)
1,000’s of Applications
![Page 49: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/49.jpg)
Mobile
On Prem
Cloud
On Prem Identity
LDAP
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
![Page 50: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/50.jpg)
Okta Powered Customer & Partners Portals Manage identities outside your firewall
Customers
Partners
Cloud Apps
On Premise Apps
Portal Username Password
![Page 51: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/51.jpg)
Okta AD Integration Details
![Page 52: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/52.jpg)
Active Directory Integration with Okta
okta confidential 52
Remote users authenticate with AD username and password
1 Local users transparently authenticate using Integrated Windows Authentication
2 Access policies driven by AD security groups
3
Remote/Mobile Employees
Active Directory
Employees
Okta Agent(s)
Group Sales
Firewall
![Page 53: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/53.jpg)
Active Directory Integration with Okta
okta confidential 53
Remote users authenticate with AD username and password
1 Local users transparently authenticate using Integrated Windows Authentication
2 Access policies driven by AD security groups
3
Remote/Mobile Employees
Active Directory
Employees
Okta Agent(s)
Group Sales
Firewall • Simple agent install, no network configuration required • Multiple agents supported for High Availability
Easy to Use, Just Works
• Real-time Synchronization with AD (no scheduled imports needed) • Automatic De-Activation in Okta of Disabled/Deleted Users • Delegate Authentication for Okta to AD
Broad Functionality
• Integration into Windows Desktop Login Tight Windows Integration
![Page 54: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/54.jpg)
Setting Up AD Integration with Okta
okta confidential 54
Download AD Agent, Install on Windows Machine
1 Configure Agent:
Directory Location, Credentials
3 Configure
import rules
4
Internet Firewall Your Network
AD Domain Controller
Okta Agent https://yourcompany.okta.com
2 • Enter Okta URL and credentials • HTTPS from company to Okta • No firewall configuration necessary
![Page 55: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/55.jpg)
Real Time AD User Synchronization
okta confidential 55
Internet Firewall Your Network
AD Domain Controller
Okta Agent (On Windows Server)
https://yourcompany.okta.com
3 Users provisioned, de-provisioned, application assignments based on security group membership
AD Agent dynamically looks for changes in AD, makes HTTPS connection to Okta
1 Okta gets real time updates, makes user and group changes as needed
2
okta confidential 55
![Page 56: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/56.jpg)
Delegated Authentication to AD
okta confidential 56
Internet Firewall Your Network
AD Domain Controller
Okta Agent (On Windows Server)
https://yourcompany.okta.com
User logs into https://yourcompany.okta.com using Okta username & AD password 1 Okta communicates to AD Agent via persistent
connection to validate credentials 2
Agent responds with success or failure
3 Okta returns Cloud App homepage (success) or failure message
4
Inside/Outside Network
okta confidential 56
![Page 57: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/57.jpg)
Desktop SSO
Firewall
2
1
AD Domain Controller
Get To Cloud Apps with NO Login Page • User logs on to domain • Can then access Cloud apps with no additional login
Secure: Uses Integrated Windows Authentication (Kerberos)
Easy to deploy: Leverages light weight agent running under IIS Okta IWA
Agent
okta confidential 57
![Page 58: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/58.jpg)
User Provisioning with Active Directory
New employees created in Active
Directory 1
Applications provisioned centrally through Okta
2
Okta login using AD credentials. Immediate SSO Access to Apps
3
AD Domain Controller Okta Agent
Firewall
okta confidential 58
![Page 59: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/59.jpg)
okta confidential 59
![Page 60: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/60.jpg)
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
![Page 61: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/61.jpg)
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
Increase Productivity
Reduce IT Costs
Strengthen Security
![Page 62: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/62.jpg)
3,300 users | 100 apps
“Cloud IAM is the best option, providing 310% ROI over manual processes” - Forrester Research, October 2012
> $10M savings
![Page 63: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/63.jpg)
Okta was named a Leader (highest ranking)
![Page 64: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/64.jpg)
![Page 65: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/65.jpg)
• First true Cloud IAM service • Full suite of IAM features (SSO, provisioning, analytics) • Bridges existing user stores (AD / LDAP) to the cloud • Connects to legacy on-prem IAM software
Modern Identity Management
Dedicated Support
• 24 / 7 / 365 Premier Support Team • SmartStart Professional Services Team • Training and Education Team
Veteran Team
“Okta is the gold standard of companies we’ve worked with.”
“Okta makes our problems their own and it’s why we can rely on them to make us successful.”
![Page 66: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/66.jpg)
What We Covered
okta confidential 66
• Significant server costs • Setup and configuration efforts • Ongoing maintenance costs • No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support • No provisioning • No reporting • No native mobile apps
AD FS is Not A Complete Solution
![Page 67: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/67.jpg)
AD FS
• 100% Multi-Tenant, Fully Managed • Always On • Features and Capacity On Demand • No changes required to AD infrastructure
Cloud Service, Built in HA
• You install, configure & manage • Redundancy for HA = more HW • Must maintain as apps change
• Control who has access to which app • Easily map different username formats • Quickly import, match, rollout
Access Management • Create & manage custom attributes • Every app may require changes • No concept of user import, matching
User Provisioning, De-Provisioning
• Easily add/remove users and access • Drive directly from AD, security groups • Pre-integrated with your applications
• None
Logging & Reporting • Better visibility into access and usage • Easy to access from Okta admin UI • None
Application Integrations • 1,500+ Pre-integrated apps • No engineering to configure, maintain • SSO with any app, not just SAML • User Mgmt integrations
• You build, maintain every integration • Only supports SAML, WS-* • Only single sign-on
okta confidential 67
![Page 68: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/68.jpg)
- Download the AD FS whitepaper
- Start a free trial of Okta for unlimited apps
- Use Okta for free for one app
Getting Started with Okta
okta confidential 68
![Page 69: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/69.jpg)
okta confidential 69
okta.com/free
![Page 70: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/70.jpg)
ADFS Terminology
okta confidential 70
AD FS 2.0 term Defini>on
AD FS 2.0 configura9on database
A database used to store all configura9on data that represents a single AD FS 2.0 instance or Federa9on Service. This configura9on data can be stored using the Windows Internal Database (WID) feature included with Windows Server 2008 and Windows Server 2008 R2 or using a MicrosoS SQL Server database.
Claim
A statement that one subject makes about itself or another subject. For example, the statement can be about a name, email, group, privilege, or capability. Claims have a provider that issues them and they are given one or more values. They are also defined by a claim value type and, possibly, associated metadata.
Federa9on Service
A logical instance of AD FS 2.0. A Federa9on Service can be deployed as a standalone federa9on server or as a load-‐balanced federa9on server farm. You can configure the name of the Federa9on Service using the AD FS 2.0 Management snap-‐in. The DNS name of the Federa9on Service must be used in the Subject name of the Secure Sockets Layer (SSL) cer9ficate.
Federa9on server
A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured to act in the federa9on server role. A federa9on server serves as part of a Federa9on Service that can issue, manage, and validate requests for security tokens and iden9ty management. Security tokens consist of a collec9on of claims, such as a user's name or role.
Source: technet.microsoft.com
![Page 71: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/71.jpg)
ADFS Terminology - continued
okta confidential 71
AD FS 2.0 term Defini>on
Federa9on server farm Two or more federa9on servers in the same network that are configured to act as one Federa9on Service instance.
Federa9on server proxy A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured to act as an intermediary proxy service between a client on the Internet and a Federa9on Service that is located behind a firewall on a corporate network.
Relying party A Federa9on Service or applica9on that consumes claims in a par9cular transac9on.
Relying party trust In the AD FS 2.0 Management snap-‐in, a relying party trust is a trust object that is created to maintain the rela9onship with another Federa9on Service, applica9on, or service (in this case with Google Apps or Salesforce.com) that consumes claims from your organiza9on’s Federa9on Service.
Network load balancer
A dedicated applica9on (such as Network Load Balancing) or hardware device (such as a mul9layer switch) used to provide fault tolerance, high availability, and load balancing across mul9ple nodes. For AD FS 2.0, the cluster DNS name that you create using this NLB must match the Federa9on Service name that you specified when you deployed your first federa9on server in your farm.
Source: technet.microsoft.com
![Page 72: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/72.jpg)
Summary – ADFS Pros and Cons
okta confidential 72
• Just a Windows Server Role • Flexible SAML, WS-FED solution • Tight AD integration
Pros
• Difficult to configure • Difficult to make production ready • Limited application coverage • No re-use (must set up for each app) • No provisioning • No reporting • No policy controls
Cons
![Page 73: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/73.jpg)
okta confidential 73
How are accounts created?
How do users authenticate?
How does IT manage these accounts?
How are accounts de-provisioned?
Solution: Connect AD to the Cloud
![Page 74: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/74.jpg)
okta confidential 74
![Page 75: Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)](https://reader034.vdocuments.us/reader034/viewer/2022051609/547b9d7eb37959442b8b4e57/html5/thumbnails/75.jpg)
okta confidential 75