
Single Sign-on (SSO) Options with Azure Active Directory
Figuring out the best way to implement Single Sign-On (SSO) in a Microsoft cloud environment can be challenging given how the options have evolved over time, but it’s a key component of any successful Office 365 or Azure deployment. There are four main options on how you can configure SSO:
- Cloud-only passwords without SSO
- Password synchronization with SSO
- Pass-through Authentication with SSO
- Federated Identity (ADFS or 3rd party)
The most basic option is to not implement single sign-on at all, which might make sense for smaller implementations. In this scenario, user accounts are provisioned on Office 365 and users logon independently of their local Active Directory.
Cloud-only passwords – non-SSO
The most basic option is to not implement single sign-on at all, which might make sense for smaller implementations. In this scenario, user accounts are provisioned on Office 365 and users logon independently of their local Active Directory.
Pros:
- Quick implementation
- Self-service password reset is available for Office 365 accounts
- No need to dedicate servers or infrastructure for SSO
- Can be used if Active Directory is not deployed or most clients are not AD joined
Cons:
- No SSO for end users
Password Synchronization with SSO
Microsoft provides a tool called Azure Active Directory (AD) Connect to synchronize user data from on-premise Active Directory to Azure AD. This saves provisioning user accounts on Office 365 while also giving the ability to synchronize a hash of the end user’s password. The end user’s full password is not synced, and a password change on-premise will trigger a sync. In this scenario, users on the network will receive a Kerberos challenge and be able to pass that token to Azure AD for authentication. Users who are outside of the network will login with their AD credentials.
Pros:
- Provides SSO without additional resources
- Users will still be able to sign-in if there are issues with on-premises resources
- ADFS (Active Directory Federation Services) SSO apps can be moved to Azure AD
- Users have one password to remember for on-premise and Microsoft cloud services
- The same server that syncs user data also syncs passwords which minimizes on-premises infrastructure footprint
- AD infrastructure or Internet can be down without restricting the ability to logon to Office 365
Cons:
- Since logons terminate in Azure AD, you lose the ability to have more granular logon restrictions that come with full Active Directory such as restricting logon times which can be critical for some businesses due to changes in federal labor regulations regarding hourly employees.
- Self-service password reset for Office 365 accounts is unavailable without purchasing Azure AD Premium or Enterprise Mobility + Security Suite licenses.
Pass-through Authentication
Another option for SSO is to use pass-through authentication with Azure AD Connect. The latest version of the Azure AD Connect tool includes an agent that opens and maintains an outbound connection to Azure AD (no DMZ or firewall rules required). When this option is enabled, user logons to Office 365 are passed back through this open tunnel to your on-premise Active Directory where they are authenticated live. This means you have access to logon time restrictions. The good news is that you can deploy additional agents which ideally would use separate internet connections. Of course, the downside of having machines authenticate against your local AD is that you need to provide high availability.
The best part is that pass-through authentication means that we can now have domain joined machines pass through their domain credentials seamlessly. This takes place automatically in most web browsers (IE, Chrome and Firefox). If you have Outlook 2013 or later deployed and modern authentication enabled, Outlook can take advantage of seamless single sign-on as well.
Pros:
- True single sign-on for domain joined PCs in Outlook (2013 or later) and in the web browser – no password needed.
- Similar experiences to password sync for external or non-domain joined PCs.
- Built into Azure AD Connect which minimizes infrastructure footprint.
- Can deploy additional agents for redundancy.
- Some organizations have security requirements that prohibit syncing a password hash
Con:
- Building enough redundancy can be a challenge for companies with a single datacenter and internet connection.
Federated Identity
Federated identity offers some unique security options not available in other scenarios, but it also has the most requirements in terms of server infrastructure to implement. To enable federated identity, you need to deploy Active Directory Federation Services (ADFS) in an on-premise network. A typical deployment would be a two-server farm at separate sites (Azure has an option to add a second site for single datacenter customers). Two additional servers are needed in a DMZ (demilitarized zone, sometimes referred to as perimeter network) to securely publish ADFS to the internet. Once ADFS is in place, federated identity can be enabled with a few PowerShell commands.
Similar to pass-through authentication, user logon attempts are passed back to the ADFS farm to validate against your local active directory. Outlook 2013 or later will leverage modern authentication to communicate with ADFS. Web browsers will get redirected to the ADFS server to complete their authentication. This lets you use what’s called SmartLinks technology to allow users to logon directly to SharePoint online without entering a username or password.
You also have access to security features not available in other scenarios. You can enable client access filtering which lets you restrict access to Microsoft cloud services based on IP address (commonly used for hourly employees that shouldn’t be able to check email from home). You can also integrate with on-premise multifactor authentication servers (although you should be looking at Microsoft Azure options for MFA).
Pros:
- Full SSO capabilities in the web browser and Outlook.
- Advanced security configurations available including the ability to filter connection on source IP address.
- No need to sync a password hash.
- ADFS farm can be reused with other cloud services that support SAML.
Cons:
- Additional infrastructure requirements.
- Additional points of failure.
- Additional cost to setup.
- SSL certificate from a public CA is required which will require periodic updating.
Think you are interested in SSO, but want to talk with an expert about which option is best for your company and environment? Contact us today!
About the author
Mike Wilson brings over 18 years of technology experience to Interlink. Prior to joining Interlink, he served as a Director of Technology for a mid-size insurance company and has led multiple consulting practices to substantial growth. In those roles, Mike delivered tremendous value for his customers by designing and implementing scalable, reliable and business aligned solutions. Mike’s focus at Interlink is on leveraging the power of the Microsoft cloud to streamline IT operations in a way that reduces cost and allows businesses to refocus on core operations. He plays a key role in architecting projects and ensuring high standards in service delivery across the Interlink team. Mike earned a Bachelor of Science degree in Mathematics from the University of Cincinnati and is a proud graduate of St. Xavier High School. He is active in a number of local non-profits and has served on multiple non-profit boards and in executive leadership.
Related Posts
Welcome to the Interlink Cloud Blog
By subscribing to the blog, you will be notified whenever a new blog post is created on the site.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.
Blog Categories
Blog Archive
- August 2023 (3)
- July 2023 (2)
- April 2023 (2)
- March 2023 (7)
- February 2023 (2)
- January 2023 (4)
- December 2022 (2)
- November 2022 (3)
- October 2022 (1)
- September 2022 (3)
- August 2022 (5)
- July 2022 (2)
- June 2022 (8)
- May 2022 (2)
- April 2022 (2)
- January 2022 (4)
- November 2021 (2)
- October 2021 (5)
- September 2021 (1)
- August 2021 (4)
