avoiding the hidden costs of active directory federation services (ad fs)
DESCRIPTION
Since its introduction with Windows Server 2008, AD FS 2.0 has been Microsoft’s answer to extending enterprise identity beyond the firewall. However, building an identity management solution with the AD FS toolkit has many hidden costs. While AD FS solves some identity challenges for Microsoft’s product family, as is typical from Microsoft, many more gaps exist when attempting to integrate with cloud or mobile applications from other vendors. Built as a single sign-on toolkit, AD FS requires a significant investment to deploy into production and still doesn’t deliver a full identity management solution. This webinar will discuss the following AD FS hidden costs as well as free alternatives that help avoid them: -Building-out missing features -Setup & configuration -Hardware & software -Availability & reliability -On-going maintenanceTRANSCRIPT
Kick the AD FS Habit
Agenda
- Trends in IT à How They Affect Identity - AD FS Overview, Costs, and Shortcomings - Okta’s Approach to AD Integration - Q&A
okta confidential 2
What We’ll Show Today
okta confidential 3
• Significant server costs • Setup and configuration efforts • Ongoing maintenance costs • No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support • No provisioning • No reporting • No native mobile apps
AD FS is Not A Complete Solution
Applications Devices
People
Applications
Devices
People
Identity
Applications
Devices
People
+ Custom, + Cloud, + Mobile Applications Devices
People
+ iPhone, Android, + iPad
+ Remote, + Partners, + Customers
Identity
Pain for end users
Pain for IT
Time consuming user provisioning
? Pain for Security Team
• Service • Enterprise Grade • Integrated • Future Proof • Easy to Use
“Cloud IAM Has Superior ROI”
“Cloud IAM is the best op9on; 310% ROI over manual processes, 90% reduc9on of opera9ons vs. on-‐prem solu9ons.”
“By the end of 2015, IDaaS will account for 40% of all new IAM sales”
• HW, SW, Infrastructure • Services Intense • Connector Treadmill • Forklift Upgrades
AD FS 2.0
AD FS Overview
okta confidential 11
okta confidential 12
Your Network
Firewall
Internet
Active Directory
User store User
store
On-prem Apps
What to Use Here?
How to connect these cloud apps to Active Directory?
Source: microsoft.com
Source: technet.microsoft.com
AD FS – High Level
15
Source: technet.microsoft.com
okta confidential 15
AD FS – High Level
Server Farm? Source: technet.microsoft.com
okta confidential 16
Step 1: Deploy Your Federation Server Farm
okta confidential 17
Source: technet.microsoft.com
- Dedicated servers behind your corporate network
- Double server count for HA
Step 2: Deploy Your Federation Server Proxies
okta confidential 18
Source: technet.microsoft.com
- Dedicated proxy servers in your DMZ (!)
- Double server count for HA
How Many Servers are We Talking About?
okta confidential 19
Number of users accessing the cloud service Minimum number of servers to deploy
1,000 to 15,000 users 2 dedicated federation servers
+ 2 dedicated federation server proxies
15,000 to 60,000 users Between 3 and 5 dedicated federation servers
+ At least 2 dedicated federation server proxies
Source: technet.microsoft.com
4-7 dedicated servers for one cloud application Half of these are deployed in your DMZ
…we’re not done
okta confidential 20
Source: technet.microsoft.com
Even more servers to run the database that holds configuration
SQL Servers added to the mix…
okta confidential 21
Don’t forget your Certificates
okta confidential 22
Certificate type
Token-signing certificate
Service communication certificate
Token-decryption certificate
Source: technet.microsoft.com
Separate certificates for each server Must be purchased from a CA
Must be managed and renewed
The true costs of AD FS…
okta confidential 23
Year One Year Two Year Three Total
Support & Maintenance
Setup (Time) + Hardware Costs
$25k - $50k for first app
Year One Year Two Year Three Total
…are costs that grow over time
okta confidential 24
More apps = more cost
Example: Office365
okta confidential 25
Source: perficient.com/Partners/Microsoft
okta confidential 26
Source: perficient.com/Partners/Microsoft
okta confidential 27
Source: blog.force365.com/salesforce-sso-with-adfs-2-0/
Example:
AD Integration with Okta – 30 minutes or less
okta confidential 28
Download AD Agent, Install on Windows Machine
1 Configure Agent:
Directory Location, Credentials
3 Configure
import rules
4
Internet Firewall Your Network
AD Domain Controller
Okta Agent https://yourcompany.okta.com
2 • Enter Okta URL and credentials • HTTPS from company to Okta • No firewall configuration necessary
okta confidential 29
okta confidential 30
okta confidential 31
okta confidential 32
okta confidential 33
okta confidential 34
okta confidential 35
okta confidential 36
okta confidential 37
okta confidential 38
It’s Not Just About Cost
okta confidential 39
• Significant server costs • Setup and configuration efforts • Ongoing maintenance costs • No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support • No provisioning • No reporting • No native mobile apps
AD FS is Not A Complete Solution
Okta Overview
Enterprise Identity, Delivered
okta confidential 40
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
okta confidential 45
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
Mobile
On Prem
Cloud
On Prem Identity
LDAP
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
1,000’s of Applications
Mobile
On Prem
Cloud
On Prem Identity
LDAP
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Okta Powered Customer & Partners Portals Manage identities outside your firewall
Customers
Partners
Cloud Apps
On Premise Apps
Portal Username Password
Okta AD Integration Details
Active Directory Integration with Okta
okta confidential 52
Remote users authenticate with AD username and password
1 Local users transparently authenticate using Integrated Windows Authentication
2 Access policies driven by AD security groups
3
Remote/Mobile Employees
Active Directory
Employees
Okta Agent(s)
Group Sales
Firewall
Active Directory Integration with Okta
okta confidential 53
Remote users authenticate with AD username and password
1 Local users transparently authenticate using Integrated Windows Authentication
2 Access policies driven by AD security groups
3
Remote/Mobile Employees
Active Directory
Employees
Okta Agent(s)
Group Sales
Firewall • Simple agent install, no network configuration required • Multiple agents supported for High Availability
Easy to Use, Just Works
• Real-time Synchronization with AD (no scheduled imports needed) • Automatic De-Activation in Okta of Disabled/Deleted Users • Delegate Authentication for Okta to AD
Broad Functionality
• Integration into Windows Desktop Login Tight Windows Integration
Setting Up AD Integration with Okta
okta confidential 54
Download AD Agent, Install on Windows Machine
1 Configure Agent:
Directory Location, Credentials
3 Configure
import rules
4
Internet Firewall Your Network
AD Domain Controller
Okta Agent https://yourcompany.okta.com
2 • Enter Okta URL and credentials • HTTPS from company to Okta • No firewall configuration necessary
Real Time AD User Synchronization
okta confidential 55
Internet Firewall Your Network
AD Domain Controller
Okta Agent (On Windows Server)
https://yourcompany.okta.com
3 Users provisioned, de-provisioned, application assignments based on security group membership
AD Agent dynamically looks for changes in AD, makes HTTPS connection to Okta
1 Okta gets real time updates, makes user and group changes as needed
2
okta confidential 55
Delegated Authentication to AD
okta confidential 56
Internet Firewall Your Network
AD Domain Controller
Okta Agent (On Windows Server)
https://yourcompany.okta.com
User logs into https://yourcompany.okta.com using Okta username & AD password 1 Okta communicates to AD Agent via persistent
connection to validate credentials 2
Agent responds with success or failure
3 Okta returns Cloud App homepage (success) or failure message
4
Inside/Outside Network
okta confidential 56
Desktop SSO
Firewall
2
1
AD Domain Controller
Get To Cloud Apps with NO Login Page • User logs on to domain • Can then access Cloud apps with no additional login
Secure: Uses Integrated Windows Authentication (Kerberos)
Easy to deploy: Leverages light weight agent running under IIS Okta IWA
Agent
okta confidential 57
User Provisioning with Active Directory
New employees created in Active
Directory 1
Applications provisioned centrally through Okta
2
Okta login using AD credentials. Immediate SSO Access to Apps
3
AD Domain Controller Okta Agent
Firewall
okta confidential 58
okta confidential 59
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
All Your Devices
All Your People
Desktop, Laptops, Tablets, Smartphones,
Employees, Customers, Partners, Contractors
Mobile
On Prem
Cloud
On Prem Identity
LDAP
Increase Productivity
Reduce IT Costs
Strengthen Security
3,300 users | 100 apps
“Cloud IAM is the best option, providing 310% ROI over manual processes” - Forrester Research, October 2012
> $10M savings
Okta was named a Leader (highest ranking)
• First true Cloud IAM service • Full suite of IAM features (SSO, provisioning, analytics) • Bridges existing user stores (AD / LDAP) to the cloud • Connects to legacy on-prem IAM software
Modern Identity Management
Dedicated Support
• 24 / 7 / 365 Premier Support Team • SmartStart Professional Services Team • Training and Education Team
Veteran Team
“Okta is the gold standard of companies we’ve worked with.”
“Okta makes our problems their own and it’s why we can rely on them to make us successful.”
What We Covered
okta confidential 66
• Significant server costs • Setup and configuration efforts • Ongoing maintenance costs • No repeatability
• more apps = more costs
AD FS is Not Free
• Limited app support • No provisioning • No reporting • No native mobile apps
AD FS is Not A Complete Solution
AD FS
• 100% Multi-Tenant, Fully Managed • Always On • Features and Capacity On Demand • No changes required to AD infrastructure
Cloud Service, Built in HA
• You install, configure & manage • Redundancy for HA = more HW • Must maintain as apps change
• Control who has access to which app • Easily map different username formats • Quickly import, match, rollout
Access Management • Create & manage custom attributes • Every app may require changes • No concept of user import, matching
User Provisioning, De-Provisioning
• Easily add/remove users and access • Drive directly from AD, security groups • Pre-integrated with your applications
• None
Logging & Reporting • Better visibility into access and usage • Easy to access from Okta admin UI • None
Application Integrations • 1,500+ Pre-integrated apps • No engineering to configure, maintain • SSO with any app, not just SAML • User Mgmt integrations
• You build, maintain every integration • Only supports SAML, WS-* • Only single sign-on
okta confidential 67
- Download the AD FS whitepaper
- Start a free trial of Okta for unlimited apps
- Use Okta for free for one app
Getting Started with Okta
okta confidential 68
okta confidential 69
okta.com/free
ADFS Terminology
okta confidential 70
AD FS 2.0 term Defini>on
AD FS 2.0 configura9on database
A database used to store all configura9on data that represents a single AD FS 2.0 instance or Federa9on Service. This configura9on data can be stored using the Windows Internal Database (WID) feature included with Windows Server 2008 and Windows Server 2008 R2 or using a MicrosoS SQL Server database.
Claim
A statement that one subject makes about itself or another subject. For example, the statement can be about a name, email, group, privilege, or capability. Claims have a provider that issues them and they are given one or more values. They are also defined by a claim value type and, possibly, associated metadata.
Federa9on Service
A logical instance of AD FS 2.0. A Federa9on Service can be deployed as a standalone federa9on server or as a load-‐balanced federa9on server farm. You can configure the name of the Federa9on Service using the AD FS 2.0 Management snap-‐in. The DNS name of the Federa9on Service must be used in the Subject name of the Secure Sockets Layer (SSL) cer9ficate.
Federa9on server
A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured to act in the federa9on server role. A federa9on server serves as part of a Federa9on Service that can issue, manage, and validate requests for security tokens and iden9ty management. Security tokens consist of a collec9on of claims, such as a user's name or role.
Source: technet.microsoft.com
ADFS Terminology - continued
okta confidential 71
AD FS 2.0 term Defini>on
Federa9on server farm Two or more federa9on servers in the same network that are configured to act as one Federa9on Service instance.
Federa9on server proxy A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured to act as an intermediary proxy service between a client on the Internet and a Federa9on Service that is located behind a firewall on a corporate network.
Relying party A Federa9on Service or applica9on that consumes claims in a par9cular transac9on.
Relying party trust In the AD FS 2.0 Management snap-‐in, a relying party trust is a trust object that is created to maintain the rela9onship with another Federa9on Service, applica9on, or service (in this case with Google Apps or Salesforce.com) that consumes claims from your organiza9on’s Federa9on Service.
Network load balancer
A dedicated applica9on (such as Network Load Balancing) or hardware device (such as a mul9layer switch) used to provide fault tolerance, high availability, and load balancing across mul9ple nodes. For AD FS 2.0, the cluster DNS name that you create using this NLB must match the Federa9on Service name that you specified when you deployed your first federa9on server in your farm.
Source: technet.microsoft.com
Summary – ADFS Pros and Cons
okta confidential 72
• Just a Windows Server Role • Flexible SAML, WS-FED solution • Tight AD integration
Pros
• Difficult to configure • Difficult to make production ready • Limited application coverage • No re-use (must set up for each app) • No provisioning • No reporting • No policy controls
Cons
okta confidential 73
How are accounts created?
How do users authenticate?
How does IT manage these accounts?
How are accounts de-provisioned?
Solution: Connect AD to the Cloud
okta confidential 74
okta confidential 75