Microsoft Cloud – Which SSO option is right for your company?

As IT organizations begin to implement Microsoft Cloud services, the need for a single sign-on capability increases.   Single sign-on, or SSO, allows users to login once with their account and password and gain access all of their systems without having to login in again to each of those systems.   It significantly reduces administrative costs while increasing user productivity.

The different Microsoft Cloud subscriptions (Office 365, Intune, Azure, etc.) all leverage directories hosted by Windows Azure Active Directory.   The directories are created when you setup a subscription and provide a name.   The suffix .onmicrosoft.com is appended to the name you provide and becomes the domain name for users added to the service (e.g. AcmeOffice365.onmicrosoft.com).    

Most companies want to leverage their own domain (e.g. user@acme.com) for user accounts and use those credentials for access to email and other services.  SSO can be setup across your on-premises and cloud Microsoft environments, but since customers have so many different configurations and requirements, designing and configuring an SSO solution can be very complex.  

There are three different ways to achieve single sign-on with Microsoft Cloud services and Windows Azure Active Directory. Each alternative fits an organization’s particular environment and/or requirements.  

No Synchronization

With this alternative, all accounts are created and maintained in Windows Azure Active Directory. Users authenticate through https://login.microsoftonline.com with their organizational account, which is <user name>@<company domain> because the company domain is added to the subscription through the Office 365 or Azure portals.   This SSO alternative is called “No Synchronization” because there is only one directory and therefore no synchronization with an on-premises domain.

Setup for this SSO alternative is the simplest. The company’s domain is first verified through DNS and a new directory is created in Windows Azure Active Directory for the domain.   The directory is marked as the default directory and users are added to that directory.   Exchange Online and DNS are configured to use that domain name.

This option is a good alternative for organizations that are cutting over entirely to cloud based services. It doesn’t require any on-premises components and there is no synchronization to another directory service. It is not a feasible SSO alternative for organizations maintaining on-premises IT services.

Directory and Password Synchronization

Most companies are implementing specific cloud-based services, not necessarily transitioning all services to the cloud. Therefore, they typically have existing Active Directory domains and on-premises IT services that will be maintained going forward.    

With this alternative, accounts and password are maintained in the on premises Active Directory. The account information and password hash values are synchronized to the directory in Windows Azure Active Directory.   This is not actually an SSO solution, it is a “same sign-on” solution. Users that access local resources are authenticated locally by a domain controller, and if that same user accesses a Microsoft cloud resource, they are authenticated again in the cloud. The benefit to them that they use the same logon and password as they do on premises.

Setting up involves:

  • Verifying and registering your domain with Windows Azure Active Directory
  • Installing and configuring DirSync for directory and password synchronization
  • Licensing synched accounts for cloud services

This option is easy to configure and allows users to leverage their same credentials for all IT services. It doesn’t provide a true single sign-on experience and therefore some features, like Exchange free/busy will not work seamlessly.

Directory Synchronization and Active Directory Federation Services

This alternative is the only true SSO solution for users that require access to both on-premises and cloud systems. It is also required to ensure all functionality is available to users of Hybrid Exchange and SharePoint environments. This alternative involves implementing a security token service (typically an ADFS farm) that trusts a federated domain in Windows Azure Active Directory.  All logons are redirected to ADFS and ADFS issues security tokens that are then passed to the trusting services.  

Setting up involves:

  • Obtaining domain certificate from trusted authority
  • Verifying and registering your domain with Windows Azure Active Directory
  • Configuring your domain for federation
  • Installing and configuring DirSync for directory sync
  • Licensing synched accounts for cloud services
  • Installing and configuring ADFS servers
  • Installing and configuring ADFS proxy servers

The option provides a seamless single sign-on experience, but involves a much greater effort to plan, implement and operate.  

Hopefully this has provided you some good information to help you understand your SSO options for Microsoft Cloud services.   Cloud 9 has developed an SSO QuickStart service offering geared toward quickly implementing a Microsoft single sign-on solution. Give us at 1-855 2 CLOUD 9 to learn more about this or other cloud services.

Advertisements

About Cloud 9 Infosystems

Cloud 9 Infosystems is an Azure Circle Partner specializing in building, migrating and managing applications in Cloud. We were awarded the Most Valuable Partner Award by Microsoft for our Cloud services. We are also part of Azure insider club and P-seller program at Microsoft.
This entry was posted in Cloud Computing, SQL Azure, Uncategorized, Windows Azure. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s