• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
 

Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)

on

  • 827 views

Since its introduction with Windows Server 2008, AD FS 2.0 has been Microsoft’s answer to extending enterprise identity beyond the firewall. However, building an identity management solution with ...

Since its introduction with Windows Server 2008, AD FS 2.0 has been Microsoft’s answer to extending enterprise identity beyond the firewall. However, building an identity management solution with the AD FS toolkit has many hidden costs. While AD FS solves some identity challenges for Microsoft’s product family, as is typical from Microsoft, many more gaps exist when attempting to integrate with cloud or mobile applications from other vendors.

Built as a single sign-on toolkit, AD FS requires a significant investment to deploy into production and still doesn’t deliver a full identity management solution. This webinar will discuss the following AD FS hidden costs as well as free alternatives that help avoid them:

-Building-out missing features
-Setup & configuration
-Hardware & software
-Availability & reliability
-On-going maintenance

Statistics

Views

Total Views
827
Views on SlideShare
827
Embed Views
0

Actions

Likes
0
Downloads
27
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Avoiding the Hidden Costs of Active Directory Federation Services (AD FS) Avoiding the Hidden Costs of Active Directory Federation Services (AD FS) Presentation Transcript

    • Kick the AD FS Habit
    • Agenda -  Trends in IT à How They Affect Identity -  AD FS Overview, Costs, and Shortcomings -  Okta’s Approach to AD Integration -  Q&A okta confidential 2
    • What We’ll Show Today okta confidential 3 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
    • Applications Devices People
    • Applications Devices People Identity
    • Applications Devices People +  Custom,  +  Cloud,  +  Mobile    Applications Devices People +  iPhone,  Android,  +  iPad   +  Remote,  +  Partners,  +  Customers     Identity
    • Pain for end users
    • Pain for IT Time consuming user provisioning
    • ? Pain for Security Team
    • •  Service •  Enterprise Grade •  Integrated •  Future Proof •  Easy to Use “Cloud  IAM  Has  Superior  ROI”   “Cloud  IAM  is  the  best  op9on;  310%  ROI  over  manual     processes,  90%  reduc9on  of  opera9ons  vs.  on-­‐prem  solu9ons.”     “By the end of 2015, IDaaS will account for 40% of all new IAM sales”   •  HW, SW, Infrastructure •  Services Intense •  Connector Treadmill •  Forklift Upgrades AD  FS  2.0  
    • AD FS Overview okta confidential 11
    • okta confidential 12 Your Network Firewall Internet Active Directory User storeUser store On-prem Apps What to Use Here? How to connect these cloud apps to Active Directory?
    • Source: microsoft.com
    • Source: technet.microsoft.com
    • AD FS – High Level 15 Source: technet.microsoft.com okta confidential 15
    • AD FS – High Level Server Farm? Source: technet.microsoft.com okta confidential 16
    • Step 1: Deploy Your Federation Server Farm okta confidential 17 Source: technet.microsoft.com -  Dedicated servers behind your corporate network -  Double server count for HA
    • Step 2: Deploy Your Federation Server Proxies okta confidential 18 Source: technet.microsoft.com -  Dedicated proxy servers in your DMZ (!) -  Double server count for HA
    • How Many Servers are We Talking About? okta confidential 19 Number of users accessing the cloud service Minimum number of servers to deploy 1,000 to 15,000 users 2 dedicated federation servers + 2 dedicated federation server proxies 15,000 to 60,000 users Between 3 and 5 dedicated federation servers + At least 2 dedicated federation server proxies Source: technet.microsoft.com 4-7 dedicated servers for one cloud application Half of these are deployed in your DMZ
    • …we’re not done okta confidential 20 Source: technet.microsoft.com Even more servers to run the database that holds configuration
    • SQL Servers added to the mix… okta confidential 21
    • Don’t forget your Certificates okta confidential 22 Certificate type Token-signing certificate Service communication certificate Token-decryption certificate Source: technet.microsoft.com Separate certificates for each server Must be purchased from a CA Must be managed and renewed
    • The true costs of AD FS… okta confidential 23 Year One Year Two Year Three Total Support & Maintenance Setup (Time) + Hardware Costs $25k - $50k for first app
    • Year One Year Two Year Three Total …are costs that grow over time okta confidential 24 More apps = more cost
    • Example: Office365 okta confidential 25 Source: perficient.com/Partners/Microsoft
    • okta confidential 26 Source: perficient.com/Partners/Microsoft
    • okta confidential 27 Source: blog.force365.com/salesforce-sso-with-adfs-2-0/ Example:
    • AD Integration with Okta – 30 minutes or less okta confidential 28 Download AD Agent, Install on Windows Machine 1 Configure Agent: Directory Location, Credentials 3 Configure import rules 4 Internet Firewall Your Network AD Domain Controller Okta Agent https://yourcompany.okta.com 2 •  Enter Okta URL and credentials •  HTTPS from company to Okta •  No firewall configuration necessary
    • okta confidential 29
    • okta confidential 30
    • okta confidential 31
    • okta confidential 32
    • okta confidential 33
    • okta confidential 34
    • okta confidential 35
    • okta confidential 36
    • okta confidential 37
    • okta confidential 38
    • It’s Not Just About Cost okta confidential 39 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
    • Okta Overview Enterprise Identity, Delivered okta confidential 40
    • All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
    • okta confidential 45
    • All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
    • Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors
    • 1,000’s of Applications
    • Mobile On Prem Cloud On Prem Identity LDAP All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors
    • Okta Powered Customer & Partners Portals Manage identities outside your firewall Customers Partners Cloud Apps On Premise Apps Porta l Username Password
    • Okta AD Integration Details
    • Active Directory Integration with Okta okta confidential 52 Remote users authenticate with AD username and password 1 Local users transparently authenticate using Integrated Windows Authentication 2 Access policies driven by AD security groups 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Group Sales Firewall
    • Active Directory Integration with Okta okta confidential 53 Remote users authenticate with AD username and password 1 Local users transparently authenticate using Integrated Windows Authentication 2 Access policies driven by AD security groups 3 Remote/Mobile Employees Active Directory Employees Okta Agent(s) Group Sales Firewall• Simple agent install, no network configuration required • Multiple agents supported for High Availability Easy to Use, Just Works • Real-time Synchronization with AD (no scheduled imports needed) • Automatic De-Activation in Okta of Disabled/Deleted Users • Delegate Authentication for Okta to AD Broad Functionality • Integration into Windows Desktop Login Tight Windows Integration
    • Setting Up AD Integration with Okta okta confidential 54 Download AD Agent, Install on Windows Machine 1 Configure Agent: Directory Location, Credentials 3 Configure import rules 4 Internet Firewall Your Network AD Domain Controller Okta Agent https://yourcompany.okta.com 2 •  Enter Okta URL and credentials •  HTTPS from company to Okta •  No firewall configuration necessary
    • Real Time AD User Synchronization okta confidential 55 Internet Firewall Your Network AD Domain Controller Okta Agent (On Windows Server) https://yourcompany.okta.com 3 Users provisioned, de-provisioned, application assignments based on security group membership AD Agent dynamically looks for changes in AD, makes HTTPS connection to Okta 1 Okta gets real time updates, makes user and group changes as needed 2 okta confidential 55
    • Delegated Authentication to AD okta confidential 56 Internet Firewall Your Network AD Domain Controller Okta Agent (On Windows Server) https://yourcompany.okta.com User logs into https://yourcompany.okta.com using Okta username & AD password 1 Okta communicates to AD Agent via persistent connection to validate credentials 2 Agent responds with success or failure 3 Okta returns Cloud App homepage (success) or failure message 4 Inside/Outside Network okta confidential 56
    • Desktop SSO Firewall 2 1 AD Domain Controller Get To Cloud Apps with NO Login Page •  User logs on to domain •  Can then access Cloud apps with no additional login Secure: Uses Integrated Windows Authentication (Kerberos) Easy to deploy: Leverages light weight agent running under IISOkta IWA Agent okta confidential 57
    • User Provisioning with Active Directory New employees created in Active Directory 1 Applications provisioned centrally through Okta 2 Okta login using AD credentials. Immediate SSO Access to Apps 3 AD Domain ControllerOkta Agent Firewall okta confidential 58
    • okta confidential 59
    • All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP
    • All Your Devices All Your People Desktop, Laptops, Tablets, Smartphones, Employees, Customers, Partners, Contractors Mobile On Prem Cloud On Prem Identity LDAP Increase Productivity Reduce IT Costs Strengthen Security
    • 3,300 users | 100 apps “Cloud IAM is the best option, providing 310% ROI over manual processes” - Forrester Research, October 2012 > $10M savings
    • Okta was named a Leader (highest ranking)
    • •  First true Cloud IAM service •  Full suite of IAM features (SSO, provisioning, analytics) •  Bridges existing user stores (AD / LDAP) to the cloud •  Connects to legacy on-prem IAM software Modern Identity Management Dedicated Support •  24 / 7 / 365 Premier Support Team •  SmartStart Professional Services Team •  Training and Education Team Veteran Team “Okta is the gold standard of companies we’ve worked with.” “Okta makes our problems their own and it’s why we can rely on them to make us successful.”
    • What We Covered okta confidential 66 •  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability •  more apps = more costs AD FS is Not Free •  Limited app support •  No provisioning •  No reporting •  No native mobile apps AD FS is Not A Complete Solution
    • AD FS •  100% Multi-Tenant, Fully Managed •  Always On •  Features and Capacity On Demand •  No changes required to AD infrastructure Cloud Service, Built in HA •  You install, configure & manage •  Redundancy for HA = more HW •  Must maintain as apps change •  Control who has access to which app •  Easily map different username formats •  Quickly import, match, rollout Access Management •  Create & manage custom attributes •  Every app may require changes •  No concept of user import, matching User Provisioning, De-Provisioning •  Easily add/remove users and access •  Drive directly from AD, security groups •  Pre-integrated with your applications •  None Logging & Reporting •  Better visibility into access and usage •  Easy to access from Okta admin UI •  None Application Integrations •  1,500+ Pre-integrated apps •  No engineering to configure, maintain •  SSO with any app, not just SAML •  User Mgmt integrations •  You build, maintain every integration •  Only supports SAML, WS-* •  Only single sign-on okta confidential 67
    • -  Download the AD FS whitepaper -  Start a free trial of Okta for unlimited apps -  Use Okta for free for one app Getting Started with Okta okta confidential 68
    • okta confidential 69 okta.com/free
    • ADFS Terminology okta confidential 70 AD  FS  2.0  term   Defini>on   AD  FS  2.0  configura9on   database   A  database  used  to  store  all  configura9on  data  that  represents  a  single  AD  FS  2.0  instance  or  Federa9on   Service.  This  configura9on  data  can  be  stored  using  the  Windows  Internal  Database  (WID)  feature   included  with  Windows  Server  2008  and  Windows  Server  2008  R2  or  using  a  MicrosoS  SQL  Server   database.   Claim   A  statement  that  one  subject  makes  about  itself  or  another  subject.  For  example,  the  statement  can  be   about  a  name,  email,  group,  privilege,  or  capability.  Claims  have  a  provider  that  issues  them  and  they  are   given  one  or  more  values.  They  are  also  defined  by  a  claim  value  type  and,  possibly,  associated   metadata.   Federa9on  Service   A  logical  instance  of  AD  FS  2.0.  A  Federa9on  Service  can  be  deployed  as  a  standalone  federa9on  server   or  as  a  load-­‐balanced  federa9on  server  farm.  You  can  configure  the  name  of  the  Federa9on  Service  using   the  AD  FS  2.0  Management  snap-­‐in.  The  DNS  name  of  the  Federa9on  Service  must  be  used  in  the  Subject   name  of  the  Secure  Sockets  Layer  (SSL)  cer9ficate.   Federa9on  server   A  computer  running  Windows  Server  2008  or  Windows  Server  2008  R2  that  has  been  configured  to  act  in   the  federa9on  server  role.  A  federa9on  server  serves  as  part  of  a  Federa9on  Service  that  can  issue,   manage,  and  validate  requests  for  security  tokens  and  iden9ty  management.  Security  tokens  consist  of  a   collec9on  of  claims,  such  as  a  user's  name  or  role.   Source: technet.microsoft.com
    • ADFS Terminology - continued okta confidential 71 AD  FS  2.0  term   Defini>on   Federa9on  server  farm   Two  or  more  federa9on  servers  in  the  same  network  that  are  configured  to  act  as  one  Federa9on   Service  instance.   Federa9on  server  proxy   A  computer  running  Windows  Server  2008  or  Windows  Server  2008  R2  that  has  been  configured  to  act   as  an  intermediary  proxy  service  between  a  client  on  the  Internet  and  a  Federa9on  Service  that  is   located  behind  a  firewall  on  a  corporate  network.     Relying  party   A  Federa9on  Service  or  applica9on  that  consumes  claims  in  a  par9cular  transac9on.   Relying  party  trust   In  the  AD  FS  2.0  Management  snap-­‐in,  a  relying  party  trust  is  a  trust  object  that  is  created  to  maintain   the  rela9onship  with  another  Federa9on  Service,  applica9on,  or  service  (in  this  case  with  Google  Apps   or  Salesforce.com)  that  consumes  claims  from  your  organiza9on’s  Federa9on  Service.   Network  load  balancer   A  dedicated  applica9on  (such  as  Network  Load  Balancing)  or  hardware  device  (such  as  a  mul9layer   switch)  used  to  provide  fault  tolerance,  high  availability,  and  load  balancing  across  mul9ple  nodes.  For   AD  FS  2.0,  the  cluster  DNS  name  that  you  create  using  this  NLB  must  match  the  Federa9on  Service   name  that  you  specified  when  you  deployed  your  first  federa9on  server  in  your  farm.   Source: technet.microsoft.com
    • Summary – ADFS Pros and Cons okta confidential 72 •  Just a Windows Server Role •  Flexible SAML, WS-FED solution •  Tight AD integration Pros •  Difficult to configure •  Difficult to make production ready •  Limited application coverage •  No re-use (must set up for each app) •  No provisioning •  No reporting •  No policy controls Cons
    • okta confidential 73 How are accounts created? How do users authenticate? How does IT manage these accounts? How are accounts de-provisioned? Solution: Connect AD to the Cloud
    • okta confidential 74
    • okta confidential 75