January 11, 2016

Password Sync VS ADFS

Share this post
Author
Access Method ADFS DirSync w/ Password Verdict
Outlook 2010/2013 Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Draw, both have the same experience
ActiveSync, POP, IMAP Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Draw, both have the same experience
MS Online Portal, SharePoint Online, Office Web Apps Internal: Pop up offers click to sign in with no credentials required (External Forms Based Prompted) Prompted for credentials on first connection (and at each password change) with checkbox to remember them Better experience for ADFS while internal to company network, draw when external
OWA Internal: Seamless (External Forms Based Prompted) Prompted for credentials on first connection (and at each password change) with checkbox to remember them Better experience for ADFS while internal to company network, draw when external
Lync 2010/2013 Seamless (with Sign on Assistance installed for Lync 2010) Prompted for credentials on first connection (and at each password change) with checkbox to remember them. Better experience for ADFS
    SSO Using ADFS
Pros Cons
 True SSO with minimum credential prompts  Additional infrastructure needed to deploy FS and Proxy FS
 Better security than when using DirSync’s password Sync  Added point of failure (even if multiple FS servers are deployed, this option brings in more dependencies for the setup to work)
   Additional cost involved with this setup
   SSL certificate from a public CA is needed and needs to be renewed on a periodic basis (cost/administrative work involved)
   More time/effort involved in setting up
  DirSync with Password Sync Pros and cons above reversed 🙂 In addition, based on my experience, for DirSync with Password Synchronization, you enable your users to use the same password they are using to logon to your on-premises Active Directory to logon to Windows Azure Active Directory. The users’ accounts and password are authenticated by Office 365, but for SSO with ADFS, the credentials are authenticated by the on premise ADFS server.

Ready to make security easy?

Find out where your organization stands. Our free security assessment gives you a clear picture of your current posture and a roadmap for what comes next.