Forum Discussion
Can we use Azure AD for SSO to SaaS applications if we already use ADFS for SSO to Azure/O365?
Andrew Colombino generally most apps that support federation with ADFS would also support federation with AzureAD. In your case AzureAD would pass the authentication events down to your federated AzureAD providing the same login experience as you get with Office 365 etc.
I agree with your point about better preparing yourself to go without ADFS in the future. These days new clients use simpler tools like Password Hash Sync or Pass Through Authentication, it's easier to provide a highly reliable service and authentication is typically the most important service.
You would also be allowing these apps to use the more sophisticated security controls available as part of AzureAD. Condition Access, Multi-Factor Authentication, Identity Protection, MCAS etc.
Thanks Rishabh, I'll take a look. What benefit does pass-through authentication provide that makes it different from ADFS?
Will it help the situation with these third-party SaaS apps?
With pass through authentication you don't have to setup ADFS for Azure AD or O365.
Instead connectors are installed on AzureAAD connect server as well as on other servers, for load balancing.
Benefits :-
You don't have to manage those configurations that are related to ADFS.
As per your requirement password hash of the user objects are also not synced to Azure AD.
Password remains on-prem and the authentication will work seamlessly.
This setup will cater 3rd party applications that you have added in Azure AD.
As all these third party application will be relying on Azure AD for user identities.
Regards,
Rishabh