There are a number of different ways to provide Single Sign-On (SSO) in a Microsoft Cloud environment. The two most popular ways are: Active Directory Federation Services (ADFS) and Password Sync, which is part of the Azure Active Directory Connect (DirSync) tool. Microsoft includes either technology within the Office 365 licensing. However, both tools require the proper Windows server licensing.
ADFS with federated login provides true Single Sign-On (SSO) with Office 365 whereas DirSync with Password Sync allows for Same Sign-On which implies users will be prompted for credentials when accessing Office 365 even in domain joined scenarios. ADFS also allows for better access control based on IPs, etc.
With DirSync with Password Synchronization, you enable your users to use the same password they are using to log-on to your on premise Active Directory to log-on to Windows Azure Active Directory. The users' accounts and passwords are authenticated by Office 365, but for SSO with ADFS, the credentials are authenticated by the on premise ADFS server.
Pros of ADFS
- ADFS can be configured such that users who are already logged on to a domain joined and connected machine do not require any password re-entry to sign in at Office 365. This gives you true single sign-on since re-entry of the password is not required. With DirSync and password hash synchronization a user must still re-enter their password, although it will be the same password as they use on-premises. This is especially important for SharePoint Online while users may need to go there dozens of times per day.
- ADFS allows for client access filtering, which restricts access to Exchange Online to users based on their IP address. Customers frequently use this control to limit hourly workers to only checking mail while onsite. Find more details here: Can I Limit Access to Office 365 for Remote or Hourly Users?
- ADFS will honor Active Directory configured login time restrictions for users.
- ADFS can include web pages for users to change their passwords while they are outside the corporate network.
- With ADFS the authentication decision is always made on-premises and no password hashes are synchronized to the cloud. This may be obvious but can be sometimes a security policy requirement.
- With ADFS an administrator can immediate block a user to remove access where-as DirSync synchronizes these changes every three hours. Only password changes are synchronized by DirSync every two minutes.
- ADFS permits use of on-premises deployed multi-factor authentication products. Note that Azure AD supports multi-factor authentication but many third party multi-factor authentication products require on-premises integration.
- Where Microsoft Forefront Identity Manger (FIM) is required for some other FIM capability. FIM directory synchronization does not include password hash synchronization so ADFS will still be required for SSO login.
- Some on-premises to cloud hybrid scenarios require ADFS such as hybrid search.
If you need any of these functionalities then Active Directory Federation Services is still the best option.
Cons of ADFS:
- Additional infrastructure needed to deploy.
- Added point of failure (even if multiple servers are deployed, this option brings in more dependencies for the setup to work).
- Additional cost involved with this setup.
- SSL certificate from a public CA is needed and needs to be renewed on a periodic basis (cost/administrative work involved).
Click here to read more from the: Password Hash Sync Article