Scroll Top

Are ADFS and SSO the Same? Penta’s Guide

ARE ADFS AND SSO THE SAME (3)

Confused?

Imagine if customers in a bar were asked to show their ID to prove their age every time they tried to buy a drink. Customers would quickly become frustrated with all the checks. However, most bars will only check a customer’s ID once, and serve them over the course of an evening.

This is a bit like Single Sign On, which allows users to establish their identity once and then access multiple web applications and services.

Active Directory Federation Services (ADFS) enables Single Sign On in Windows environments. It’s a tool for implementing SSO, but it’s not SSO on its own. Developers often confuse one with other — and it’s easy to see why.

Read on to discover the fundamentals of SSO and ADFS, their benefits and drawbacks, and where and when to use them. By the end of this guide you’ll have a working knowledge of AFDS and SSO and which to add to your app.

TL;DR

What is SSO?

SSO is a cloud security tool that allows users to log in once and access multiple apps without logging in again and again.

What is ADFS?
ADFS is Microsoft’s own solution for Single Sign-On (SSO) within Windows environments.

What are they used for?
Both are used to link (federate) user identities to cloud apps. This allows users to use one set of credentials to log in to multiple apps.

Is ADFS the same as SSO?
No, ADFS and SSO are not the same. ADFS only works only in Windows environments. You can implement SSO for apps hosted in non-Windows environments.

Do you need both ADFS and SSO?
ADFS is a form of SSO. When people talk about ‘SSO tools’, they often mean a broader category of identity and access management (IAM) tools that include ADFS.

What is ADFS?

Active Directory Federation Services (ADFS) is a feature of the Windows Server operating system. It extends user access to apps and services in the cloud or outside the corporate firewall. t functions similarly to other SSO solutions, but instead of using a third-party tool, organisations can use their own local Active Directory.

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Active  Directory  stores

usernames and passwords and uses them to manage access to on-prem devices on a Windows domain. It also provides SSO access to corporate applications.

ADFS extends this to authenticate users on third-party systems, web apps and services in the cloud.

ADFS can be used as a bolt-on web server to AD on-premises. Nowadays, it’s more common to use the Azure version of ADFS, which is more opinionated and easier to work
with.

Through its SSO capabilities, ADFS can authenticate a user to different, related apps during a single online session. ADFS shares the user’s identity and access rights, known as claims, beyond the firewall to the cloud.

When users attempt to access an app from one of their trusted business partners (or federation), their organisation must authenticate their identity via ‘claims’ to the host of the app. The host can then make authorisation decisions based on the claims.

Key Features ADFS?

  • It’s part of Windows Server and can be installed on-prem or as Azure AFDS
  • It can authenticate using SAML (Security Assertion Markup Language) certificates, cookies, OAuth and other security tokens.
  • It can be configured to have trust relationships that also accept OpenID accounts

How ADFS authenticates users

  1. When a user tries to log in to an app, it redirects them to the ADFS login page where they enter their username and password
  2. ADFS forwards the user’s credentials to an identity provider like AD for authentication
  3. The identity provider verifies the user, and returns information in the form of claims (user attributes like name, email, roles, or permissions)
  4. Based on the claims, ADFS generates a security token and digitally signs it
  5. ADFS sends the security token back to the app the user wanted to access
  6. The app verifies the token’s signature and uses the claims to make access control decisions. The user is granted access if the claims meet requirements

Pros and cons of ADFS

Identity federation: ADFS establishes trust with external apps (like yours) outside the network, allowing federation partners to share a streamlined UX

Single Sign On: ADFS enables SSO so users can log in once to ADFS and then access multiple apps and services without logging in again

Integrations: you can add SSO solutions like Red Hat Single Sign-On (RHSSO) to ADFS to further improve user authentication and management

But while ADFS is a valuable tool, but it does have a few drawbacks:

It’s cumbersome to use when integrating with cloud or non-Microsoft mobile apps

It’s complex to set up and requires significant IT resources to configure and maintain

It can be difficult to scale and requires tedious app installations

It’s technically free, but ADFS can have hidden costs such as maintenance

What is SSO?

From a development perspective, SSO is an authentication method that simplifies the login process. It enables users to access various apps with a single set of credentials. With SSO in your app, you reduce sign-up and login friction, boosting user acquisition and retention.

At its core is a centralised Identity Provider (IdP). This verifies the user’s identity and issues tokens that act as digital proof the user is authenticated. While ADFS is strongly tied to Windows Server, other SSO solutions are not tied to any platform and can run in the cloud. They are also easier to set up and configure. SSO is typically implemented using protocols like OpenID Connect or SAML. These define how the authentication data is formatted and exchanged between the IdP and apps.

Key Features of SSO?

It synchronises passwords and user information, making access to different platforms and resources much easier. · It improves network and app security. Single Sign On can uniquely identify a user, ensuring compliance with security standards and regulations. · It encrypts user data, supports MFA to prevent social engineering, and integrates securely with Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) to exchange user data.

How does SSO authenticate users?

  1. The user navigates to the app’s login page and begins the login process
  2. The app redirects the user to their IdP
  3. The user logs in to the IdP with their credentials (like a username and password)
  4. Once the IdP authenticates the user, it issues a token containing the user’s identity and authentication status
  5. The IdP sends the token to the
  6. The app receives the token and verifies its authenticity
  7. If the token is valid, the app grants the user access

Pros and cons of SSO

Better developer experience: modern SSO solutions are generally easier to implement compared to ADFS. Some even offer pre-built integrations, SDKs, or APIs that simplify the process even more.

Platform-neutral: while ADFS is built for Windows environments, modern SSO solutions are cloud-based and can be used on any platform.

Multi-factor authentication: you can activate MFA at a single point instead of on multiple apps.

However, supporting multiple IdPs can be resource-intensive. Each IdP might use a different SSO protocol, and these vary in how they manage authentication, not to mention the implementation nuances in each protocol. If an app connects to multiple IdPs, you may need to create integrations for all of them.

It synchronises passwords and user information, making access to different platforms and resources much easier. · It improves network and app security. Single Sign On can uniquely identify a user, ensuring compliance with security standards and regulations. · It encrypts user data, supports MFA to prevent social engineering, and integrates securely with Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) to exchange user data.

Which is right for you?

Whether you add and support ADFS or another SSO tool will depend on your clients. Both offer developers an easy way to authenticate users with identities in an organisation’s directory. Many third-party SSO solutions are available, but ADFS is the natural choice to run SSO on native infrastructures in Microsoft environments.

Use ADFS if you’re building apps for enterprises that use Windows, Microsoft-based apps, or Active Directory to manage users

Use a broader SSO solution if your enterprise customers have diverse IT environments that aren’t limited to Windows.

How we can help

We provide technology resource to the world’s favourite tech companies, enabling clients around the globe to tackle their most complex challenges. Need technical expertise or looking for your next role in Identity and Access Management? 

Leave a comment

Call +44 (0)208 647 3999