Apr 24 2017
- last edited on
Jul 24 2020
Bit of a newbie question but what is the difference between using Azure AD and ADFS as a SAML identity provider?
We have on-premises AD and ADFS servers and a federation with Azure AD using AD Connect.
We want to integrate with a SaaS app that is listed in the Azure AD application gallery but I can't find any definitive information that guides me whether it would be better to use Azure AD or ADFS as the identity provider.
Any help would be appreciated.
Apr 24 2017 02:46 PM
May 01 2017 08:27 AMSolution
If you are looking at them purely as SAML providers they are roughly equivalent. But there is more to federation than just SAML. There are other protocols and profiles that AAD can support that ADFS cannot. Remember that ADFS is a shipped product, it ships with the version of Windows and its capabilities stay roughly the same for its lifetime. It might get an upgrade in a big service pack. So ADFS on Server 2012 R2 has pretty much the same capabilities for the last 5 years. The new ADFS on 2016 has more, but it is subject to the same static life. Azure AD is constantly upgrading.
So strategically, if you don't mind putting your eggs in Microsoft's basket, AAD seems the better choice from that standpoint.
However, you have to measure your organization's willingness to rely on a cloud service versus on premises servers and network infrastructure you control.
Beyond that, AAD does much more than federation. You can use it to present a portal to your users, to secure groups of apps, to run analytics on your authentications for security, it can serve as an authentication backbone between other tenants, clients and consumers.
So you asked a complicated question, but the answer is probably AAD unless you aren't comfortable with the lack of control on the cloud service.
Jul 25 2017 02:35 PM
One big difference I've seen, in terms of sso and saml is that ADFS has greater support for "claims language" than AAD. AAD offers limited capabilities or whatever is present in GUI. For example, I do not see any regex support for claims when using AAD. Its very probably that you won't need them but is worth mentioning.
In general, for a particular function, an on-prem system has greater flexibility, but it will not get any updates as fast as a cloud one, and does not integrate with other services that are deployed in cloud (like in the AAD case).
Jul 26 2017 04:42 AM
According to me it depends:
1. Where is your identity currently (On prem or Cloud)
2. Is there any special requirement of application which queries other than just user authentication and authorize access.
If you got both the scenarios, publish application. Assign it to both type of identities and experience.
If you ask me I would prefer to use identity from on premises(If I already had identity on premises) & sync to Azure AD
Jul 26 2017 05:42 AM
In my opinion this is not a newby question. Its a question allot of IT admins are struggling with.
Offcourse ADFS is a STS and AzureAD a IAM but this doesn't answer the question when to use what. When I am wrong please notice me on this people but my point of view is that the best solution is very dependent on the type of clients the users are using.
AzureAD joined device Windows 10 (build 10551 or newer) work great when we wan't to achieve true SSO. With true SSO I state that the authentication proces is done on sign on of the desktop and isn't needed in any other way anymore when browsing to webbased applications.
When using domain joined Windows 7 or 8.x you need Internet Explorer and Microsoft ADFS when to achieve this user experience.
So the best solution to use as STS is also depended on other components (like the Windows Clients) in your environment.
The most important difference between ADFS and AzureAD looking at the STS component is where the authentication proces takes place. With ADFS this is on-premise, with AzureAD this is in the cloud.
Also take a look at this great article of Pierre Audonnet.
Sep 01 2017 10:20 AM
When deciding between the 2 technologies - If you will be using Conditional Access in Azure, and have applications that do not use modern authentication (Office 2010), you will have to use AFDS to apply conditional access for these clients.
Jan 23 2018 07:23 AM
All of this feedback is fantastic. I would also like to add a few more things to think about. AD FS will authenticate your cloud or synchronized identities on premises. Many large organizations prefer this federated model because they are authenticating "in-house". With a synchronized solution , Microsoft would be authentication your users. You synchronize your users using AAD Connect and also enable password synchronization. This would mean that we would send your password hashes to your AAD. This is, of course, a very secure solution given that the hashes are hashed and salted, and then some. Nevertheless, you get the point. This being said, smaller organization are choosing AAD Connect Pass-Through-Authentication over ADFS for simplicity sake. PTA can authenticate your users on premises without the IT overhead of a complex ADFS farm. If your cloud application are Office 365 and some Azure Gallery apps, PTA may be a viable alternative. Of course, AD FS is a robust authentication solution with a large portfolio of authentication mechanisms such as FBA/CBA, Claims, oAuth, etc. I hope this helps. - Josh
Nov 30 2018 03:06 PM - edited Nov 30 2018 03:07 PM
This is a fantastic conversation people. I almost always guide my customer to utilising AAD with PTA unless there's specific on-premises services or software that necessitates the need for ADFS. Then utilise Enterprise Applications with the additional capabilities already mentioned such as provisioning capabilities.
Nov 30 2018 10:55 PM
We have used PTA mode for a while (started with preview even), until one day it just stopped working. Switched to Password Synchronization and it worked. Haven't figured out what happened with PTA (it was after usual Windows updates, so maybe some fix affected something). But even with PTA working you have to keep server with AD Connect running 24/7, as without it logins would be impossible. This server becomes a critical breaking point of your cloud services.
Also, this was an old reply, but i will mention anyway. One can still have SSO on domain joined Windows 7 PCs, using Seamless Single Sign On option of AD Connect.