avoiding the hidden costs of active directory federation services (ad fs)

Kick the AD FS Habit

Agenda

-  Trends in IT à How They Affect Identity -  AD FS Overview, Costs, and Shortcomings -  Okta’s Approach to AD Integration -  Q&A

okta confidential 2

What We’ll Show Today

okta confidential 3

•  Significant server costs •  Setup and configuration efforts •  Ongoing maintenance costs •  No repeatability

•  more apps = more costs

AD FS is Not Free

•  Limited app support •  No provisioning •  No reporting •  No native mobile apps

AD FS is Not A Complete Solution

Applications Devices

People

Applications

Devices

People

Identity

Applications

Devices

People

+ Custom, + Cloud, + Mobile Applications Devices

People

+ iPhone, Android, + iPad

+ Remote, + Partners, + Customers

Identity

Pain for end users

Pain for IT

Time consuming user provisioning

? Pain for Security Team

•  Service •  Enterprise Grade •  Integrated •  Future Proof •  Easy to Use

“Cloud IAM Has Superior ROI”

“Cloud IAM is the best op9on; 310% ROI over manual processes, 90% reduc9on of opera9ons vs. on-‐prem solu9ons.”

“By the end of 2015, IDaaS will account for 40% of all new IAM sales”

•  HW, SW, Infrastructure •  Services Intense •  Connector Treadmill •  Forklift Upgrades

AD FS 2.0

AD FS Overview

okta confidential 11


Your Network

Firewall

Internet

Active Directory

User store User

store

On-prem Apps

What to Use Here?

How to connect these cloud apps to Active Directory?

Source: microsoft.com

Source: technet.microsoft.com

AD FS – High Level

15



AD FS – High Level

Server Farm? Source: technet.microsoft.com


Step 1: Deploy Your Federation Server Farm



-  Dedicated servers behind your corporate network

-  Double server count for HA

Step 2: Deploy Your Federation Server Proxies



-  Dedicated proxy servers in your DMZ (!)

-  Double server count for HA

How Many Servers are We Talking About?


Number of users accessing the cloud service Minimum number of servers to deploy

1,000 to 15,000 users 2 dedicated federation servers

+ 2 dedicated federation server proxies

15,000 to 60,000 users Between 3 and 5 dedicated federation servers

+ At least 2 dedicated federation server proxies


4-7 dedicated servers for one cloud application Half of these are deployed in your DMZ

…we’re not done



Even more servers to run the database that holds configuration

SQL Servers added to the mix…


Don’t forget your Certificates


Certificate type

Token-signing certificate

Service communication certificate

Token-decryption certificate


Separate certificates for each server Must be purchased from a CA

Must be managed and renewed

The true costs of AD FS…


Year One Year Two Year Three Total

Support & Maintenance

Setup (Time) + Hardware Costs

$25k - $50k for first app

Year One Year Two Year Three Total

…are costs that grow over time


More apps = more cost

Example: Office365


Source: perficient.com/Partners/Microsoft


Source: perficient.com/Partners/Microsoft


Source: blog.force365.com/salesforce-sso-with-adfs-2-0/

Example:

AD Integration with Okta – 30 minutes or less


Download AD Agent, Install on Windows Machine

1 Configure Agent:

Directory Location, Credentials

3 Configure

import rules

4

Internet Firewall Your Network

AD Domain Controller

Okta Agent https://yourcompany.okta.com

2 •  Enter Okta URL and credentials •  HTTPS from company to Okta •  No firewall configuration necessary

It’s Not Just About Cost




AD FS is Not Free



Okta Overview

Enterprise Identity, Delivered


All Your Devices

All Your People

Desktop, Laptops, Tablets, Smartphones,

Employees, Customers, Partners, Contractors

Mobile

On Prem

Cloud

On Prem Identity

LDAP

All Your Devices

All Your People



Mobile

On Prem

Cloud

On Prem Identity

LDAP

Mobile

On Prem

Cloud

On Prem Identity

LDAP

All Your Devices

All Your People



1,000’s of Applications

Mobile

On Prem

Cloud

On Prem Identity

LDAP

All Your Devices

All Your People



Okta Powered Customer & Partners Portals Manage identities outside your firewall

Customers

Partners

Cloud Apps

On Premise Apps

Portal Username Password

Okta AD Integration Details

Active Directory Integration with Okta


Remote users authenticate with AD username and password

1 Local users transparently authenticate using Integrated Windows Authentication

2 Access policies driven by AD security groups

3

Remote/Mobile Employees

Active Directory

Employees

Okta Agent(s)

Group Sales

Firewall

Active Directory Integration with Okta


Remote users authenticate with AD username and password

1 Local users transparently authenticate using Integrated Windows Authentication

2 Access policies driven by AD security groups

3

Remote/Mobile Employees

Active Directory

Employees

Okta Agent(s)

Group Sales

Firewall • Simple agent install, no network configuration required • Multiple agents supported for High Availability

Easy to Use, Just Works

• Real-time Synchronization with AD (no scheduled imports needed) • Automatic De-Activation in Okta of Disabled/Deleted Users • Delegate Authentication for Okta to AD

Broad Functionality

•  Integration into Windows Desktop Login Tight Windows Integration

Setting Up AD Integration with Okta


Download AD Agent, Install on Windows Machine

1 Configure Agent:

Directory Location, Credentials

3 Configure

import rules

4



Okta Agent https://yourcompany.okta.com

2 •  Enter Okta URL and credentials •  HTTPS from company to Okta •  No firewall configuration necessary

Real Time AD User Synchronization




Okta Agent (On Windows Server)

https://yourcompany.okta.com

3 Users provisioned, de-provisioned, application assignments based on security group membership

AD Agent dynamically looks for changes in AD, makes HTTPS connection to Okta

1 Okta gets real time updates, makes user and group changes as needed

2


Delegated Authentication to AD




Okta Agent (On Windows Server)

https://yourcompany.okta.com

User logs into https://yourcompany.okta.com using Okta username & AD password 1 Okta communicates to AD Agent via persistent

connection to validate credentials 2

Agent responds with success or failure

3 Okta returns Cloud App homepage (success) or failure message

4

Inside/Outside Network


Desktop SSO

Firewall

2

1


Get To Cloud Apps with NO Login Page •  User logs on to domain •  Can then access Cloud apps with no additional login

Secure: Uses Integrated Windows Authentication (Kerberos)

Easy to deploy: Leverages light weight agent running under IIS Okta IWA

Agent


User Provisioning with Active Directory

New employees created in Active

Directory 1

Applications provisioned centrally through Okta

2

Okta login using AD credentials. Immediate SSO Access to Apps

3

AD Domain Controller Okta Agent

Firewall


All Your Devices

All Your People



Mobile

On Prem

Cloud

On Prem Identity

LDAP

All Your Devices

All Your People



Mobile

On Prem

Cloud

On Prem Identity

LDAP

Increase Productivity

Reduce IT Costs

Strengthen Security

3,300 users | 100 apps

“Cloud IAM is the best option, providing 310% ROI over manual processes” - Forrester Research, October 2012

> $10M savings

Okta was named a Leader (highest ranking)

•  First true Cloud IAM service •  Full suite of IAM features (SSO, provisioning, analytics) •  Bridges existing user stores (AD / LDAP) to the cloud •  Connects to legacy on-prem IAM software

Modern Identity Management

Dedicated Support

•  24 / 7 / 365 Premier Support Team •  SmartStart Professional Services Team •  Training and Education Team

Veteran Team

“Okta is the gold standard of companies we’ve worked with.”

“Okta makes our problems their own and it’s why we can rely on them to make us successful.”

What We Covered




AD FS is Not Free



AD FS

•  100% Multi-Tenant, Fully Managed •  Always On •  Features and Capacity On Demand •  No changes required to AD infrastructure

Cloud Service, Built in HA

•  You install, configure & manage •  Redundancy for HA = more HW •  Must maintain as apps change

•  Control who has access to which app •  Easily map different username formats •  Quickly import, match, rollout

Access Management •  Create & manage custom attributes •  Every app may require changes •  No concept of user import, matching

User Provisioning, De-Provisioning

•  Easily add/remove users and access •  Drive directly from AD, security groups •  Pre-integrated with your applications

•  None

Logging & Reporting •  Better visibility into access and usage •  Easy to access from Okta admin UI •  None

Application Integrations •  1,500+ Pre-integrated apps •  No engineering to configure, maintain •  SSO with any app, not just SAML •  User Mgmt integrations

•  You build, maintain every integration •  Only supports SAML, WS-* •  Only single sign-on


-  Download the AD FS whitepaper

-  Start a free trial of Okta for unlimited apps

-  Use Okta for free for one app

Getting Started with Okta



okta.com/free

ADFS Terminology


AD FS 2.0 term Defini>on

AD FS 2.0 configura9on database

A database used to store all configura9on data that represents a single AD FS 2.0 instance or Federa9on Service. This configura9on data can be stored using the Windows Internal Database (WID) feature included with Windows Server 2008 and Windows Server 2008 R2 or using a MicrosoS SQL Server database.

Claim

A statement that one subject makes about itself or another subject. For example, the statement can be about a name, email, group, privilege, or capability. Claims have a provider that issues them and they are given one or more values. They are also defined by a claim value type and, possibly, associated metadata.

Federa9on Service

A logical instance of AD FS 2.0. A Federa9on Service can be deployed as a standalone federa9on server or as a load-‐balanced federa9on server farm. You can configure the name of the Federa9on Service using the AD FS 2.0 Management snap-‐in. The DNS name of the Federa9on Service must be used in the Subject name of the Secure Sockets Layer (SSL) cer9ficate.

Federa9on server

A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured to act in the federa9on server role. A federa9on server serves as part of a Federa9on Service that can issue, manage, and validate requests for security tokens and iden9ty management. Security tokens consist of a collec9on of claims, such as a user's name or role.


ADFS Terminology - continued


AD FS 2.0 term Defini>on

Federa9on server farm Two or more federa9on servers in the same network that are configured to act as one Federa9on Service instance.

Federa9on server proxy A computer running Windows Server 2008 or Windows Server 2008 R2 that has been configured to act as an intermediary proxy service between a client on the Internet and a Federa9on Service that is located behind a firewall on a corporate network.

Relying party A Federa9on Service or applica9on that consumes claims in a par9cular transac9on.

Relying party trust In the AD FS 2.0 Management snap-‐in, a relying party trust is a trust object that is created to maintain the rela9onship with another Federa9on Service, applica9on, or service (in this case with Google Apps or Salesforce.com) that consumes claims from your organiza9on’s Federa9on Service.

Network load balancer

A dedicated applica9on (such as Network Load Balancing) or hardware device (such as a mul9layer switch) used to provide fault tolerance, high availability, and load balancing across mul9ple nodes. For AD FS 2.0, the cluster DNS name that you create using this NLB must match the Federa9on Service name that you specified when you deployed your first federa9on server in your farm.


Summary – ADFS Pros and Cons


•  Just a Windows Server Role •  Flexible SAML, WS-FED solution •  Tight AD integration

Pros

•  Difficult to configure •  Difficult to make production ready •  Limited application coverage •  No re-use (must set up for each app) •  No provisioning •  No reporting •  No policy controls

Cons


How are accounts created?

How do users authenticate?

How does IT manage these accounts?

How are accounts de-provisioned?

Solution: Connect AD to the Cloud

avoiding the hidden costs of active directory federation services (ad fs)

Technology