Your IT shop is more than just Microsoft. Your IAM solution should be, too. Ten years ago it was easy to be a "Microsoft Shop," with every server, operating system and software program in the company running in (almost) perfect harmony. Like it or not, Microsoft had a monopoly on computing platforms back then, and it dominated the computing industry.
But today, the stranglehold has been broken and computing options abound. A shift to the cloud, the rise in mobile applications, the emergence of the API economy and the migration to other major computing platforms like Linux and Solaris now mean that companies have a wide swath of territory to secure - not to mention locking down custom and legacy apps.
This is particularly true with single sign-on and identity federation needs. It's more important than ever to integrate all the components of your IT infrastructure with a complete solution for identity management - one that also supports open standards, integrates with internal and cloud applications and supports integration with a range of identity providers such as Google, Facebook, Twitter and LinkedIn.
For these needs, Microsoft's Active Directory Federation Services (ADFS) is often not enough. Microsoft Windows server offers ADFS as a standard feature in its Windows server. Many organizations like ADFS because it's "free" and is also managed similarly to other Windows services. But in reality, ADFS is neither cheap nor easy in the long run. Here's why.
Prepare to build
Using ADFS in production for mission-critical applications requires much more effort than creating a simple test environment with a single connection. It should be treated in the same vein as large complex commercial off-the-shelf software systems, which can be time consuming to customize and integrate with multiple applications and make it ready for production use.
Also, before getting started consider things like your capacity needs, solution maturity, interoperability, budget and your team's history with homegrown solutions.
Stock up on servers
If your goal is a highly available, geo-distributed environment that supports remote users, Microsoft recommends 10-12 servers to fully implement ADFS. In addition to provisioning these servers into the environment, the servers require constant management, updates and monitoring for availability.
However, a complete identity management solution can achieve a similar high availability use case with 65% fewer servers and can be deployed on Windows, Linux or Solaris platforms.
Plan to spend more time on regression testing
ADFS is coupled with Windows servers and may get updated as part of a regular Windows patch update, but there have been published cases where Microsoft security patches have caused Windows Server ADFS to stop working, and the patches had to be pulled.
Complete identity management solutions are not tied to any particular operating system, and updates do not affect functionality.
ADFS also requires proxy servers to support remote users, and MS SQL Servers for high availability clustered operations, which adds more server infrastructure and management requirements.
You'll need an end user access portal
ADFS does not include an end user access portal. While Microsoft's new Azure AD service does provide an access panel for end users, it would require using the cloud-based Azure Active Directory.
Find your own features support
There are several areas where ADFS falls short on feature support.
For starters, ADFS only supports Active Directory and Microsoft SQL Server attribute stores. No support is offered for other databases such as Oracle or standard LDAP servers for attributes that are required for identity federation.
User provisioning to SaaS applications is not a capability of ADFS and requires using additional products. While Microsoft does provide synchronization for Office 365, it requires a separate server and doesn't support other cloud applications.
Reporting is also not part of ADFS by default and requires other Microsoft products.
Finally, ADFS has minimal support for management APIs, it has very little extensibility, and it doesn't provide a supported SDK.
Standards support is limited, too
ADFS provides support only for SAML 2.0 and WS-Trust standards, but not a plethora of others. What's more, because ADFS has a stricter interpretation of SAML, interoperability with heterogeneous SAML counterparts may turn out to be more costly and time consuming than a typical deployment.
Multifactor authentication in ADFS is provided out of the box with certificates. Other options are available from third-party vendors, but Microsoft doesn't support them.