locked
Azure SSO vs ADFS RRS feed

  • Question

  • I'm looking for advice.  I have setup SSO for Office 365 with ADFS and Azure AD Connect a couple of years ago.  Since then I have added 3 more Relying Party Trusts to ADFS.  

    I am now learning that Azure SSO is something completely different.  I have a couple more services I wish to configure with SSO and don't know if I should continue with ADFS or "switch" to Azure SSO.  I put "switch" in quotes because I'm not even sure if that is what I need to do.  I contacted Azure support and was unable to understand their explanation of my options, only that they recommend I keep using ADFS and it "will be alright".  

    I have read every Microsoft documentation which has only confused me more.  I guess I'm looking for real world examples and/or explanations.

    thanks,

    • Moved by Femisulu-MSFT Wednesday, November 7, 2018 3:39 AM better suited here
    Monday, November 5, 2018 6:35 PM

Answers

  • Azure SSO - Azure AD SSO is cloud-only. You have all of your users stored in the cloud and they are given permission to your applications by roles-based authorization in your Azure Active Directory tenant. You just add the users to your directory and authenticate them in your applications using an OWIN library like OpenID connect. 

    OWIN libraries enable single sign-on (SSO) using OpenID Connect via cookie-based authentication. After authentication is completed and the token representing the user is sent to your application, OWIN middleware creates a session cookie. The browser then uses this cookie on subsequent requests so the user doesn't need to retype the password, and no additional verification is needed.

    See the Github sample and a short video my colleague and I made showing how to use Azure-only SSO for two web apps. 

    ADFS SSO is federated SSO with on-premises users. Users can authenticate using on-premises credentials and access cloud resources in the cloud. ADFS also allows you to add some more advanced security requirements such as smartcard authentication or third party MFA.

    If you have both on-premises users and cloud-only users you can use both ADFS and Azure SSO for the same application, which is what I would recommend based on your description. 

    This comparison guide is helpful for choosing the right authentication method for your on-premises environment.

    See also this similar question


    Wednesday, November 7, 2018 7:25 PM
    Owner

All replies

  • Azure SSO - Azure AD SSO is cloud-only. You have all of your users stored in the cloud and they are given permission to your applications by roles-based authorization in your Azure Active Directory tenant. You just add the users to your directory and authenticate them in your applications using an OWIN library like OpenID connect. 

    OWIN libraries enable single sign-on (SSO) using OpenID Connect via cookie-based authentication. After authentication is completed and the token representing the user is sent to your application, OWIN middleware creates a session cookie. The browser then uses this cookie on subsequent requests so the user doesn't need to retype the password, and no additional verification is needed.

    See the Github sample and a short video my colleague and I made showing how to use Azure-only SSO for two web apps. 

    ADFS SSO is federated SSO with on-premises users. Users can authenticate using on-premises credentials and access cloud resources in the cloud. ADFS also allows you to add some more advanced security requirements such as smartcard authentication or third party MFA.

    If you have both on-premises users and cloud-only users you can use both ADFS and Azure SSO for the same application, which is what I would recommend based on your description. 

    This comparison guide is helpful for choosing the right authentication method for your on-premises environment.

    See also this similar question


    Wednesday, November 7, 2018 7:25 PM
    Owner
  • Thank you.  Hearing that I "can use both ADFS and Azure SSO for the same application" makes me feel better.
    Tuesday, November 13, 2018 4:31 PM
  • Yes, you can use Azure AD with cookie-based authentication. (See the Github sample and guide, or refer to the video my colleague and I made showing how to use it.)

    Then in the backend you will use ADFS federated authentication and just sync those users from on-premises to your Azure Active Directory.

    Tuesday, November 13, 2018 5:55 PM
    Owner