ADFS vs ADC

Active Directory Federation Services (ADFS) or OneLogin’s Active Directory Connector (ADC)?

Both of these services can help you solve the following use case:

You have users that you manage through Active Directory (AD) otherwise known as Active Directory Directory Services (ADDS) and you want to implement Office 365. You would like your users to be able to log in to Office 365 using the same credentials they use to log in to their company computers. Meaning you want them to be able to log in with their AD credentials. In fact, it would be great if your users could just launch applications like Outlook on their desktop and be automatically logged in to Office 365 so they can access their mail just as they were automatically logged in when your email services like Exchange were running on prem. You want to configure your users for Single Sign-On (SSO) to Office 365. The problem is figuring out which solution will be best for your organization.

ADFS and OneLogin’s ADC are two of the main options you have to choose between when trying to solve this problem.

ADFS – The Microsoft Solution

ADFS is a Microsoft service that can be enabled on Microsoft servers and is designed to provide SSO access to systems that are outside the AD environment. So when configuring SSO for users that need access to Office 365, a trust relationship needs to be set up between ADFS and Azure AD, which is the authentication system for Office 365. Within Azure AD you are configuring what is called a federated domain. Once it is set up, the login flow will be as follows:

1. The user’s login attempt to Office 365 will be received by Azure AD. If the user is on the internal network and has logged into their domain joined machine they will not be prompted for their credentials again. If they are not logged in to a domain joined machine they will be prompted for their AD credentials.
2. Azure AD will then forward the authentication request to ADFS.
3. ADFS will communicate with an Active Directory Domain Controller and if the authentication request is successful, forward that successful acknowledgement back to Azure AD
4. Azure AD will grant the user access to Office 365.

The problem with this scenario is that the user will need an account in Azure AD created for them before they even attempt to log in and they will need to be given a license to access Office 365. ADFS does not perform these tasks. Microsoft provides another tool called Azure AD Connect that can synchronize with AD and create the user accounts in Azure AD. Unfortunately, Azure AD still doesn’t solve the full solution because it will not automatically activate nor assign the Office 365 licenses. Microsoft has provided the option for administrators to designate a particular Windows Security Group to indicate which users need to be assigned Office 365 licenses, but that is an additional configuration step.

So the entire picture looks more like this:

1. Users are synchronized from AD to Azure AD.
2. Users need to be activated and assigned licenses to Office 365 either manually or through a designated Windows Security Group they are added to.
3. The user’s login attempt to Office 365 will be received by Azure AD.
4. Azure AD will then forward the authentication request to ADFS.
5. ADFS will communicate with an Active Directory Domain Controller and if the authentication request is successful, forward that successful acknowledgement back to Azure AD
6. Azure AD will grant the user access to Office 365.

This is a lot of different tools you need to manage and keep track of in order to ensure that this flow continues to be successful. Luckily there are simpler options out there.

OneLogin’s ADC

OneLogin’s ADC does the job of both Azure AD Connect and ADFS. The ADC provides both user synchronization as well as enables users to log in with their AD credentials. The only component that needs to be installed is the ADC, whereas both ADFS and Azure AD Connect need to be installed and configured on Windows servers. The OneLogin solution would look something like this:

1. Users are synced from AD to the OneLogin Cloud Directory and then synced into Azure AD through the Office 365 App Connector within OneLogin. They can also automatically be activated and assigned licenses to Office 365 through this synchronization process.
2. The user attempts to access Office 365.
3. Azure AD redirects the login request to OneLogin.
4. OneLogin uses the ADC to verify the login request with AD.
5. OneLogin relays the successful login back to Azure AD.
6. Azure AD grants the user access to Office 365.

The end result is exactly the same as it would be if ADFS was used, but the steps required to set it all up are much simpler and there aren’t as many server components to manage. Remember the ADFS-based solution requires Azure AD Connect to be installed on a Windows server in addition to the ADFS servers that are necessary to support this configuration option. With OneLogin, there is only one component that needs to run on Windows servers: the ADC. The rest of the configuration is done through the OneLogin Admin Portal.

Integrating systems together is always a challenge. There are often several tasks that need to be accomplished through the integration and most likely several options on how to accomplish these tasks. Here we were basically trying to solve the problem of how to integrate AD with Office 365 and give our users a seamless experience. One option was to use ADFS, but ADFS unfortunately doesn’t do everything that is necessary for this integration to work. Another option that we explored was OneLogin’s ADC, which actually does provide us with exactly what we need and is also a bit simpler to configure and maintain. Make sure you always explore the options that are available to solve the problems you face and choose the best for your organization.