Blog

ADFS vs SSO: Choosing the Right Authentication Solution

April 22, 2024

We compare ADFS vs SSO, and discuss what they are, their benefits, drawbacks, and their roles in identity management.

Developers usually confuse ADFS and SSO and it’s easy to see why.

ADFS enables SSO in Windows environments. But, it’s only a tool for implementing SSO, it’s not SSO on its own. Instead, SSO is a broader concept that refers to users authenticating once and being able to access multiple apps. It’s not tied to any platform and can be implemented by other tools, not just ADFS.

In this article, we’ll dive deeper into the differences between ADFS and SSO to understand what they are, their pros and cons, and what they are used for.

ADFS vs SSO: What are they and which should you use?

ADFS (Active Directory Federation Services) is Microsoft’s own solution for Single Sign-On (SSO) and access management within Windows environments.

SSO (Single Sign-On) is a broad concept for allowing users to log in once and gain access to multiple apps without logging in again and again.

The main difference between ADFS and SSO is that ADFS works in Windows environments only, whereas SSO is vendor-neutral and can be implemented by a variety of identity and access management (IAM) services like Okta, OneLogin, and Ping Identity for different environments other than Windows.

Use ADFS if: You are building apps for enterprises that use Microsoft Windows, Microsoft-based apps, or Active Directory to manage users.

Use a broader SSO solution if: Your enterprise customers have diverse IT environments that aren’t limited to just the Windows ecosystem.

Note: ADFS has been superseded by Microsoft Entra.

What is ADFS?

ADFS is a Microsoft service designed to extend SSO capabilities beyond the confines of an organization’s Windows environment. It was created to allow organizations to use their Active Directory credentials to access apps outside their network, typically those hosted on the cloud.

Key features of ADFS

Below are some of the main features of ADFS:

  • It’s part of Windows Server and is typically installed on-prem.
  • It supports popular authentication protocols like SAML, WS-Federation, and OpenID Connect.
  • It’s strongly integrated with Active Directory, a directory service also from Microsoft that stores user identity data. Users from one organization can access apps or services in another organization in the federation without needing separate credentials.
  • It supports identity federation. Different organizations can federate and securely share identity information.
  • It enables SSO. Through ADFS users can log in once and gain access to multiple apps.

Here’s how ADFS authenticates users:

  • When a user tries to log in to a web app (referred to as the relying party), the web app redirects users to the ADFS login page where they enter their username and password.
  • ADFS forwards the user's provided credentials to an identity provider like Active Directory (AD) for authentication.
  • The Identity Provider verifies the user, and upon successful authentication, returns information about the user in the form of claims. Claims include user attributes like their name, email address, roles, or permissions.
  • Based on the claims for the AD, ADFS generates a security token and digitally signs it.
  • ADFS sends the security token back to the web app the user initially wanted to access.
  • The web app verifies the token's signature and uses the claims to make access control decisions. If the claims meet the app’s requirements, the user is granted access without further prompts.

Pros of ADFS

  • Identity federation: It allows organizations to establish trust relationships with external apps (like yours) outside their network.
  • Single Sign-On: ADFS enables SSO. Users can log in once to ADFS and gain access to multiple apps and services without logging in again.

Cons of ADFS

  • It’s complex to set up: Setting up ADFS involves multiple steps — configuring the ADFS server, establishing a trust relationship between yourself as the service provider and your customers, and configuring relying party trusts. This process requires a lot of back and forth between you and your customers and can be extremely time-consuming.
  • Configuration differences: Each of your customers might set up ADFS a bit differently. You must be ready to meet the varying demands of each.

What is SSO?

SSO (Single Sign-On) is an authentication method that allows users to authenticate once and access multiple apps. At its core is a centralized Identity Provider (IdP). This IdP verifies the user’s identity and issues tokens that act as digital proof the user is authenticated.

While ADFS is strongly tied to the Windows Server, modern SSO providers are not tied to any platform and can run in the cloud. They are also way easier to set up and configure.

Typically, SSO is implemented using protocols like OIDC (OpenID Connect) or SAML (Security Assertion Markup Language). These protocols define how the authentication data is formatted and exchanged between the IdP and applications.

Each protocol defines a specific SSO flow. However, generally, an SSO authentication flow looks like this:

  1. The user navigates to your app’s login page and initiates the login process.
  2. Your app redirects the user to their IdP.
  3. The user logs in to the IdP with their credentials (like a username and password).
  4. Once the IdP authenticates the user, it issues a token containing the user's identity and authentication status.
  5. The IdP sends the token to your app.
  6. Your app receives the token and validates its authenticity.
  7. If the token is valid, your app grants the user access.

Pros of SSO

  • It offers a better developer experience: Modern SSO solutions are generally easier to implement compared to ADFS. Some even offer pre-built integrations, SDKs, or APIs that simplify the process even more.
  • It’s platform-independent: While ADFS was built for Windows environments, modern SSO solutions are cloud-based and can be used on any platform.

Cons of SSO

  • Supporting multiple IdPs can be resource-intensive: Each IdP might use a different SSO protocol, and these protocols vary significantly in how they manage authentication, not to mention the implementation nuances within each protocol. If your app connects to multiple IdPs, you may need to create integrations for each of them.

FAQs

What are ADFS and SSO used for?

Both ADFS and SSO are used to link (federate) on-prem identities to cloud apps. They allow users to use one set of credentials to log in to multiple apps.

Is ADFS the same as SSO?

No, ADFS and SSO are not the same. ADFS works only in Windows-based systems while SSO can be implemented by services hosted in non-Windows environments.

What is the difference between SSO and Active Directory?

SSO allows a user to log in once and gain access to multiple apps without logging in to each one while Active Directory is a directory service that stores and manages user identities.

Do you need both ADFS and SSO?

ADFS itself is a form of SSO. When people generally refer to "SSO tools," they might mean a broader category of identity and access management solutions that include ADFS as well. Whether you support ADFS or another SSO tool will depend on your clients. If your clients have Windows-centric IT environments, you may need ADFS support. If they use other identity management services, you would need to support those services.

Next steps

If you prefer not to create individual SSO integrations for each Identity Provider (IdP) you want to support, consider using a done for your authentication service like WorkOS:

  • Get started fast: With SDKs in every popular language, and Slack-based support, you can implement SSO in minutes rather than weeks.
  • Support every protocol: With OAuth 2.0 integrations to popular providers like Google and Microsoft, compatibility with every major IdP, and full support for custom SAML/OIDC connections, WorkOS can support any enterprise customer out of the box.
  • Avoid the back-and-forth: WorkOS’s Admin Portal takes the pain out of onboarding your customers’ IT teams and configuring your app to work with their identity provider.
  • Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard — whether they bring 10 or 10,000 SSO users to your app.

Explore Unified SSO by WorkOS.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.