The 4 Azure Options for Implementing Single Sign-On
A wide range of options are available for those looking to employ a Single Sign-on (SSO) in Azure.
Here’s an overview of the options that are currently available:
Cloud-only Passwords Without SSO
With this option, SSO’s are not used: Office365 accounts login independent of the local Active Directory. This option is quick to implement, allows for password resetting, does not need dedicated servers or other infrastructure, and can be used without the Active Directory. However, it does mean that users will not have the convenience of an SSO.
Password Synchronization with SSO
Office uses Azure Active Directory (ADD) Connect, allowing synchronization of data between on-site Active Directories and Azure AD. User accounts do not have to be held on Office365, and changes in passwords are synchronized. No extra resources are needed, external logins, single password for on-site and cloud services, password synchronization and access to Office 365, even if the Internet or the AD infrastructure is not functioning, are all allowed. However, this option does remove some control over the system; e.g., employers will not be able to restrict login times. In addition, the user must purchase Azure AD Premium or a license for Enterprise Mobility + Security Suite to access the self-service password reset features.
Pass-through authentication with Azure AD connect allows logons to be passed back to the on-site Active Directory for authentication. This permits login time restrictions. However, it does mean that your on-site facilities must be available at any time you want to authenticate users. Pass-through authentication allows machines on the same domain to enjoy seamless passing through domain credentials. This provides genuine single sign-ons through Outlook (2013 onwards) and web browsers. As it is built into Azure AD Connect minimal infrastructure is needed. However, companies with only one data center and/or Internet connection may have trouble creating enough redundancy.
Federated identity allows users access to the security choices that are available elsewhere; however, it does need more infrastructure. Active Directory Federation Services (ADFS) has to be deployed in the on-site network. This requires two servers on separate sites for secure application. User logins are passed back to ADFS for validation. Security features that are unavailable elsewhere include filtering client access, for example, to prevent certain employees checking email from home. It should be noted that alongside the additional security offered, this method is more expensive, adds extra potential failure points, and needs updating periodically.