Tom Kemp's Centrify Blog

Options for Federated Identity for Office 365, Part 2

Monday, July 1, 2013

Active Directory Federation Services (ADFS) and Centrify are both two good options for "federated identity" for Office 365, which, as a reminder, is where user authentication for your cloud-based Office 365 actually occurs with your on-premise Active Directory. As I discussed in prior blog posts, federated identity is one of the key identity management scenarios for Microsoft Office 365, and in my last blog post I walked readers through some of the differences between ADFS and Centrify for Office 365 specific to the on-premise infrastructure and labor required between the two solutions. In this blog post I want to highlight some of the other differences between ADFS and Centrify for Office 365.

[But before I begin this blog post, and as I have tried to articulate in my two prior blog posts, here at Centrify we actually don't see ADFS as competition per se and view ADFS as more complementary. Centrify was in fact the first ISV to come out with extending ADFS to non-Microsoft web servers so we have a long time track record of supporting and working with Microsoft and ADFS. As it relates to Office 365, in the end the focus of both Microsoft and Centrify is to successfully get customers to Office 365 in a frictionless manner for both end users and IT. Given that ADFS is not a chargeable item from Microsoft, it is not a situation where the two companies are fighting for revenue — both share the same broader goals of faster and widespread adoption of Office 365 by businesses of all sizes. It is also worthy to note that both Microsoft and Centrify leverage Windows Azure as the cloud platform for this Office365 federated identity solution, so there is strategic alignment at a technology and vision level . That's one of many reasons why Microsoft has validated the Centrify solution through the "Works with Office 365" partner program, because in the end Microsoft makes revenue from Office 365 and not from ADFS. Microsoft and its customers win when Office 365 is successfully deployed, and if Centrify can help in that regard, it is a win for Microsoft and its customers.

So in my last blog post, I discussed the following differentiating points

#1 ADFS requires significantly more on-premise infrastructure vis a vis Centrify for Office 365

#2 ADFS requires firewall changes

#3 ADFS requires 3rd party certificates

These points are relevant because ADFS is very much an on-premise and hardware based approach vs. Centrify's cloud-based approach to federated identity, thus it can take up to 2+ weeks and tens of thousands of dollars of hardware/labor/etc. to deploy ADFS vs. Centrify's five minute install and quick up-and-running approach. But what if you already invested in ADFS *OR* you may be receptive to a hardware-centric approach (vs. cloud-based) — are there any more reasons to go with Centrify for Office 365 vis a vis ADFS? Let me bring up some additional points to consider:

#4 ADFS can be difficult to configure for additional 3rd party SaaS Apps

Clearly many customers have deployed and/or are looking to deploy additional cloud-based apps besides Office 365. They may have Salesforce.com, WebEx, Dropbox, Box, Zendesk, etc. The reality is that ADFS can require a lot of knowledge to configure SSO for third party SaaS apps and someone has to become an expert for configuration and debugging. For example here is a screenshot for some of the configuration screens and tasks you have to do with ADFS and Salesforce.com.

ADFS screens required for SSO to Salesforce.com

A few of the ADFS screens required for SSO to Salesforce.com

In addition, while ADFS does support SAML and WS-Trust, you will quickly find that some of your cloud apps may not support those SSO protocols, so you have to build federated identity for those apps and ADFS won't really help there. At the end of the day, customers will find that ADFS does not provide a comprehensive catalog of pre-configured SaaS apps that can be set up in minutes.

On the other hand, Centrify delivers a catalog of hundreds and hundreds (soon to be over 1000) of pre-integrated, tested and supported 3rd party SaaS apps, and we support those apps irrespective of the SSO protocol they utilize. For customers, each application takes on average a few minutes to set up and configure. Thus there is a significant time and cost savings vis a vis ADFS to "embrace and extend" AD-based SSO to other SaaS apps beyond Office 365. The more apps you have, the bigger the cost savings.

AD-based SSO Example of pre-integrated, tested and supported 3rd party SaaS app

Centrify delivers a catalog of pre-integrated, tested and supported 3rd party SaaS apps

#5 ADFS does not provide a Windows Server Active Directory-based end-user portal for accessing 3rd party SaaS Apps

ADFS is an optionally installed add-on capability to Windows Server Active Directory. It does not offer an end-user portal for accessing 3rd party SaaS apps via Active Directory, which means there is no way to get single-click access to 3rd party SaaS apps or self-service to AD account attributes or mobile devices.

No out of the box user portal for 1-click access to SaaS apps from ADFS

ADFS provides no out of the box user portal for 1-click access to SaaS apps

In comparison, Centrify provides a robust interface for not only accessing a plethora of SaaS apps (as well as a user's consumer oriented web apps and web sites), but also provides self-service management capabilities of users' devices and AD account. Having this unified identity portal provides significant end user productivity. It is important again to note that this portal offers federated 1-click access from customers' on-premise Windows Server Active Directory, which is what 97% of businesses out there use today for their identity infrastructure.

MyApps screen showing one-click access to thousands of SaaS apps

MyApps delivers one-click access to thousands of SaaS apps

MyDevices screen shows self-service to mobile devices

MyDevices delivers self-service to mobile devices for location, lock and wipe

#6 Centrify delivers a robust mobile "Zero Sign-On" Experience for Office 365 and other apps

Increasingly users are accessing SaaS apps such as Office 365 from their mobile devices. Centrify provides a rich mobile client to access SaaS apps from both Android and iOS devices which delivers a 1-click "Zero Sign-on" experience. And many SaaS vendors are utilizing Centrify's Mobile Authentication Services (MAS) SDK to provide that one-click access from their rich mobile apps as well. ADFS does not offer a mobile client.

So those are 6 major differentiators off the top of my head. Hopefully as you have seen from this two-part blog post, ADFS and Centrify offer different approaches to federated identity for Office 365. Clearly ADFS offers a more hardware-centric and on-premise-centric approach while Centrify offers a more cloud-based approach. In addition, the goal of Centrify is to offer a more out-of-the-box experience for integrating with third party SaaS apps and with mobile devices than what ADFS offers.

In some cases ADFS may be appropriate for some customers (e.g. if they have already deployed ADFS and don't plan to deploy other cloud apps) and in other cases Centrify may be a better choice, or even in some cases customers may want to deploy both (e.g. if they have already deployed ADFS for some apps and want to use Centrify for other apps). So in the end they actually really complement each other more so than competing with each other. My goal here was to simply lay out the facts and let the customer decide which is best between the two, especially as most Office 365 customers will want to know which options to consider.

Clearly Microsoft needs to offer something in this area, and their answer is ADFS, but given that one size rarely fits all, it does not mean that this offering is perfect for every customer of Microsoft. Centrify makes an Office 365 deployment easier and can deliver a better user and IT experience — that's the most important value to Microsoft and, even more important, to its customers; let alone introducing ADFS as a new piece of on-premise software that Microsoft does not directly derive revenue from. Moving forward, the good news is that Microsoft is looking to evolve ADFS, and Centrify will continue to look to further complement and add value to it while providing its own unique and complementary approach that customers should consider when looking for federated identity for Office 365.

< Previous Article: Comparing Federated Identity Options for Office 365
> Next Article: Just Out: Centrify Suite 2013 R2 (aka 2013.2)