Single Sign-on (SSO) Options with Azure Active Directory

Figuring out the best way to implement Single Sign-On (SSO) in a Microsoft cloud environment can be challenging given how the options have evolved over time, but it’s a key component of any successful Office 365 or Azure deployment. There are four main options on how you can configure SSO:

• Cloud-only passwords without SSO

• Password synchronization with SSO

• Pass-through Authentication with SSO

• Federated Identity (ADFS or 3^rd party) 

The most basic option is to not implement single sign-on at all, which might make sense for smaller implementations. In this scenario, user accounts are provisioned on Office 365 and users logon independently of their local Active Directory. 

Cloud-only passwords – non-SSO

The most basic option is to not implement single sign-on at all, which might make sense for smaller implementations. In this scenario, user accounts are provisioned on Office 365 and users logon independently of their local Active Directory. 

Pros: 

• Quick implementation 
• Self-service password reset is available for Office 365 accounts 
• No need to dedicate servers or infrastructure for SSO 
• Can be used if Active Directory is not deployed or most clients are not AD joined 

Cons: 

• No SSO for end users 
  
  

Password Synchronization with SSO

Microsoft provides a tool called Azure Active Directory (AD) Connect to synchronize user data from on-premise Active Directory to Azure AD. This saves provisioning user accounts on Office 365 while also giving the ability to synchronize a hash of the end user’s password. The end user’s full password is not synced, and a password change on-premise will trigger a sync. In this scenario, users on the network will receive a Kerberos challenge and be able to pass that token to Azure AD for authentication. Users who are outside of the network will login with their AD credentials.

Pros: 

• Provides SSO without additional resources
• Users will still be able to sign-in if there are issues with on-premises resources
• ADFS (Active Directory Federation Services) SSO apps can be moved to Azure AD
• Users have one password to remember for on-premise and Microsoft cloud services 
• The same server that syncs user data also syncs passwords which minimizes on-premises infrastructure footprint 
• AD infrastructure or Internet can be down without restricting the ability to logon to Office 365 

Cons: 

• Since logons terminate in Azure AD, you lose the ability to have more granular logon restrictions that come with full Active Directory such as restricting logon times which can be critical for some businesses due to changes in federal labor regulations regarding hourly employees.
• Self-service password reset for Office 365 accounts is unavailable without purchasing Azure AD Premium or Enterprise Mobility + Security Suite licenses.
  
  

Pass-through Authentication 

Another option for SSO is to use pass-through authentication with Azure AD Connect. The latest version of the Azure AD Connect tool includes an agent that opens and maintains an outbound connection to Azure AD (no DMZ or firewall rules required). When this option is enabled, user logons to Office 365 are passed back through this open tunnel to your on-premise Active Directory where they are authenticated live. This means you have access to logon time restrictions. The good news is that you can deploy additional agents which ideally would use separate internet connections. Of course, the downside of having machines authenticate against your local AD is that you need to provide high availability.

The best part is that pass-through authentication means that we can now have domain joined machines pass through their domain credentials seamlessly. This takes place automatically in most web browsers (IE, Chrome and Firefox). If you have Outlook 2013 or later deployed and modern authentication enabled, Outlook can take advantage of seamless single sign-on as well. 

Pros: 

• True single sign-on for domain joined PCs in Outlook (2013 or later) and in the web browser – no password needed. 
• Similar experiences to password sync for external or non-domain joined PCs. 
• Built into Azure AD Connect which minimizes infrastructure footprint. 
• Can deploy additional agents for redundancy. 
• Some organizations have security requirements that prohibit syncing a password hash 

Con: 

• Building enough redundancy can be a challenge for companies with a single datacenter and internet connection. 
  
  

Federated Identity 

Federated identity offers some unique security options not available in other scenarios, but it also has the most requirements in terms of server infrastructure to implement. To enable federated identity, you need to deploy Active Directory Federation Services (ADFS) in an on-premise network. A typical deployment would be a two-server farm at separate sites (Azure has an option to add a second site for single datacenter customers). Two additional servers are needed in a DMZ (demilitarized zone, sometimes referred to as perimeter network) to securely publish ADFS to the internet. Once ADFS is in place, federated identity can be enabled with a few PowerShell commands. 

Similar to pass-through authentication, user logon attempts are passed back to the ADFS farm to validate against your local active directory. Outlook 2013 or later will leverage modern authentication to communicate with ADFS. Web browsers will get redirected to the ADFS server to complete their authentication. This lets you use what’s called SmartLinks technology to allow users to logon directly to SharePoint online without entering a username or password. 

You also have access to security features not available in other scenarios. You can enable client access filtering which lets you restrict access to Microsoft cloud services based on IP address (commonly used for hourly employees that shouldn’t be able to check email from home). You can also integrate with on-premise multifactor authentication servers (although you should be looking at Microsoft Azure options for MFA). 

Pros: 

• Full SSO capabilities in the web browser and Outlook. 
• Advanced security configurations available including the ability to filter connection on source IP address. 
• No need to sync a password hash. 
• ADFS farm can be reused with other cloud services that support SAML. 

Cons: 

• Additional infrastructure requirements. 
• Additional points of failure. 
• Additional cost to setup. 
• SSL certificate from a public CA is required which will require periodic updating.

Think you are interested in SSO, but want to talk with an expert about which option is best for your company and environment? Contact us today!