Single sign-on (SSO) is a method of security access to multiple software systems. With SSO, a user logs in once and gains access to all systems without being prompted to log in again for each additional system.
As more and more organizations migrate their infrastructure to the cloud, there is a need to ensure users can seamlessly connect between different systems, namely on-premise resources and cloud-based resources.
This article summarizes different scenarios that organizations may choose in order to assist them in making the right decision and select the right solution for their organization.
Scenario 1 – No Single Sign-On
Many Companies elect not to deploy SSO and have separate login details to connect to their local resources, Office 365, or other cloud providers. The infrastructure required would employ their own local domain and active directory to manage access to internal resources, so no change here.
Then there would be separate account management portals, supplied by their cloud providers to manage users’ credentials. The advantages of this scenario are no additional internal infrastructure configuration is required as account management portals are supplied by the cloud providers.
However, the disadvantages are separate usernames and passwords for team members to connect to their cloud providers and separate systems to administer users.
Also, there is no possibility of data integration of their on-premise and cloud providers’ systems to share data in a ‘hybrid’ or data integration model.
Scenario 2 – Entry level Single Sign On – Windows Credential Manager
This scenario is not true SSO since it does not use a companies’ corporate credentials to connect to an external system.
This scenario allows a user to store their online credentials upon the first login, thereby not having to enter them again.
Windows Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. By storing your credentials, Windows can automatically log you on to websites or other computers.
Credentials are saved in special folders on your computer called vaults. Windows and programs (such as web browsers) can securely give the credentials in the vaults to other computers and websites.
The advantages are that it’s free, simple to set up and it’s a standard Windows operating system feature. However there are disadvantages to using Windows Credential Manager, namely, it’s not secure and often will not comply with many companies security governance.
There is still the separate systems to administer users and similar to scenario 1, there is no possibility of integration of the systems for a ‘hybrid’ or data integration model.
Scenario 3a – Managed SSO – ADFS
True SSO requires the deployment of Active Directory Federation Services (ADFS), a Microsoft-developed component of Windows server. It simplifies access to external systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. ADFS supports web single-sign-on (SSO) technologies that help IT organizations collaborate across organizational boundaries.
In order to deploy ADFS, it requires local Active Directory and Domain Controllers and additional ADFS and ADFS Proxy servers to facilitate federation between on-premise Active Directory and cloud-based providers. The advantages of ADFS is a true SSO experience, a single Username/Password to connect to cloud providers. It also means there is a single system (local Active Directory) to administrator accounts for the cloud provider (e.g. Office 365) The disadvantages are that ADFS is not easy to deploy.
There are additional servers to setup, configured and maintained and extra reliance on corporate ADFS servers to connect to the cloud providers.
Scenario 3b – Hosted SSO – ADFS
Customers who want the full SSO experience with a cloud provider without requiring deploying their own ADFS servers can choose to have their ADFS servers themselves hosted in the cloud. This may sound strange however there is a growing business for Infrastructure As A Service (IAAS) where you could indeed have a cloud provider also provide you with your ADFS servers so you won’t need to worry about them. The advantages are less local administration and effort to deploy the ADFS environment. The disadvantage is mainly cost as this is not an inexpensive option. Microsoft provide this with their Azure platform where it’s the alternative to (or an extension of) your network or perimeter network (DMZ). More information on this is available from Microsoft here.
Scenario 4 – SSO Deployed, Advanced Integration Options
When SSO is fully deployed in an organization there often is a need to integrate data connectivity between the cloud provider (e.g Office 365) and their on premise SharePoint environments in the form of cross-platform Search and Business Connectivity Services (BCS). The infrastructure required for this scenario would be as follows:
- Local Domain Controllers and AFDS Servers deployed to provide SSO Connectivity to Office 365
- On-premise SharePoint and Office 365 environments are configured to integrate in the following ways:
- Search
- One-way outbound – e.g. the ability to search Office 365 content from on-premise SharePoint Server
- One-way inbound – e.g. the ability to search on-premise content from Office 365 SharePoint Server
- Two-way bidirectional – e.g. support of both topologies
- Business Data Connectivity Services (BCS)
- Office 365 requires E3 Plan
- Out-bound / In-bound / Bidirectional topologies available
- Search
The advantages of this scenario are a seamless integration of content between on-premise SharePoint and Office 365. SharePoint on-premise is still vital for many organizations who need to deploy 3rd party applications that are not supported in the cloud. This is the preferred scenario when it comes to managing Projects on SharePoint with BrightWork as users can have a single username and password to connect to their Project Office on BrightWork and the increasingly growing presence of SharePoint on Office 365.