Access Method | ADFS | DirSync w/ Password | Verdict |
Outlook 2010/2013 | Prompted for credentials on first connection (and at each password change) with checkbox to remember them. | Prompted for credentials on first connection (and at each password change) with checkbox to remember them. | Draw, both have the same experience |
ActiveSync, POP, IMAP | Prompted for credentials on first connection (and at each password change) with checkbox to remember them. | Prompted for credentials on first connection (and at each password change) with checkbox to remember them. | Draw, both have the same experience |
MS Online Portal, SharePoint Online, Office Web Apps | Internal: Pop up offers click to sign in with no credentials required (External Forms Based Prompted) | Prompted for credentials on first connection (and at each password change) with checkbox to remember them | Better experience for ADFS while internal to company network, draw when external |
OWA | Internal: Seamless (External Forms Based Prompted) | Prompted for credentials on first connection (and at each password change) with checkbox to remember them | Better experience for ADFS while internal to company network, draw when external |
Lync 2010/2013 | Seamless (with Sign on Assistance installed for Lync 2010) | Prompted for credentials on first connection (and at each password change) with checkbox to remember them. | Better experience for ADFS |
SSO Using ADFS
Pros | Cons |
True SSO with minimum credential prompts | Additional infrastructure needed to deploy FS and Proxy FS |
Better security than when using DirSync’s password Sync | Added point of failure (even if multiple FS servers are deployed, this option brings in more dependencies for the setup to work) |
Additional cost involved with this setup | |
SSL certificate from a public CA is needed and needs to be renewed on a periodic basis (cost/administrative work involved) | |
More time/effort involved in setting up |
DirSync with Password Sync
Pros and cons above reversed :)
In addition, based on my experience, for DirSync with Password Synchronization, you enable your users to use the same password they are using to logon to your on-premises Active Directory to logon to Windows Azure Active Directory. The users’ accounts and password are authenticated by Office 365, but for SSO with ADFS, the credentials are authenticated by the on premise ADFS server.