Forum Discussion
Neil Manley
Apr 24, 2017Copper Contributor
ADFS vs Azure AD for SSO
Hi there Bit of a newbie question but what is the difference between using Azure AD and ADFS as a SAML identity provider? We have on-premises AD and ADFS servers and a federation with Azure A...
- May 01, 2017
If you are looking at them purely as SAML providers they are roughly equivalent. But there is more to federation than just SAML. There are other protocols and profiles that AAD can support that ADFS cannot. Remember that ADFS is a shipped product, it ships with the version of Windows and its capabilities stay roughly the same for its lifetime. It might get an upgrade in a big service pack. So ADFS on Server 2012 R2 has pretty much the same capabilities for the last 5 years. The new ADFS on 2016 has more, but it is subject to the same static life. Azure AD is constantly upgrading.
So strategically, if you don't mind putting your eggs in Microsoft's basket, AAD seems the better choice from that standpoint.
However, you have to measure your organization's willingness to rely on a cloud service versus on premises servers and network infrastructure you control.
Beyond that, AAD does much more than federation. You can use it to present a portal to your users, to secure groups of apps, to run analytics on your authentications for security, it can serve as an authentication backbone between other tenants, clients and consumers.
So you asked a complicated question, but the answer is probably AAD unless you aren't comfortable with the lack of control on the cloud service.
Alexandru Burac
Jul 25, 2017Copper Contributor
One big difference I've seen, in terms of sso and saml is that ADFS has greater support for "claims language" than AAD. AAD offers limited capabilities or whatever is present in GUI. For example, I do not see any regex support for claims when using AAD. Its very probably that you won't need them but is worth mentioning.
In general, for a particular function, an on-prem system has greater flexibility, but it will not get any updates as fast as a cloud one, and does not integrate with other services that are deployed in cloud (like in the AAD case).