For nearly two decades, Microsoft has offered Active Directory Federation Services (ADFS) as the solution for extending enterprise identities beyond corporate firewalls. When Microsoft launched Office 365 in 2011, one of the earliest requirements was to provide some form of single sign-on (SSO) to corporate users who wanted to access the platform from within an Active Directory (AD) domain.
This involved linking Azure AD to federation services that ADFS and on-prem AD provided. Though ADFS was a popular SSO solution when Microsoft ruled the IT world, AD and solely Windows-based IT environments are no longer as commonplace as they once were. This means that organizations are analyzing the limitations of ADFS and ultimately looking for better identity and access management (IAM) solutions.
This article will discuss some of the primary limitations of ADFS, including high maintenance costs, complexity, security, and support issues.
What are the Limitations of ADFS?
When Microsoft unveiled ADFS, it promised that the solution would become the cornerstone upon which organizations could build federated identities in their environments. In some ways, ADFS solves federation identity challenges because users from one organization can access applications in a partner organization via the standard credentials of their organization’s AD.
ADFS also enables users to access AD-integrated resources while working remotely via their AD credentials on a web interface. However, despite these benefits, ADFS brings quite a few limitations to the table, such as:
1. It’s costly to implement and maintain
ADFS is technically a free solution, with no extra licensing costs if you’re already paying for Windows Server operating system (OS). As such, it makes financial sense, especially for organizations that use Windows Server and don’t want to buy another federation solution. However, setting up on-premise SSO servers for high availability (HA) and use outside of the corporate firewall involves other costs that are not always top of mind, resulting in unforeseen expenses and overall cost.
For example, besides the initial configuration and setup costs, you have to factor in server costs. Also, ADFS generates ongoing maintenance costs, consisting of infrastructure maintenance, secure sockets layer (SSL) certificates, and the management of multiple federations. The additional costs involved with the time, resources, and budget spent on ADFS can be complex and difficult to quantify.
2. It’s complex to set up
Another limitation is that ADFS requires multiple hardware components and applications to adequately meet single sign-on needs. It also requires extensive configuration and maintenance. ADFS consists of three hardware components:
- The ADFS server
- The federation service proxy — a service that’s installed between the ADFS server farm and external resources
- The ADFS configuration database
These components require customized development and a significant time commitment to understand, deploy, configure, and maintain the SSO connections to the external applications. Because ADFS is an on-prem solution, it’s the responsibility of your in-house IT team to handle these tasks.
Further, ADFS doesn’t have a user-friendly portal for managing identities and authentication policies, so adding an application or system to the service is often complex and time-consuming.
3. Cybersecurity criminals can target the ADFS servers
A third limitation of ADFS is that it is a linchpin that ties the corporate network with various cloud-based services such as Office 365. As more organizations shift to cloud-based solutions, ADFS has become a common target for attackers. While ADFS isn’t inherently insecure, the complexities involved with implementing it properly leave it vulnerable to attackers if anything is amiss.
Recently, attackers have forged Security Assertion Markup Language (SAML) tokens to freely access corporate resources in on-prem and cloud-based setups. “Golden SAML” is one such attack that malicious actors can leverage to authenticate into every service that uses the SAML 2.0 standard as an SSO mechanism.
These attacks are becoming increasingly common, because most ADFS configurations involve multiple servers that are often deployed to provide load-balancing and HA features. Multiple nodes use a replication service to share and sync the token configuration information and SSL certificates from the primary server.
Attackers can take advantage of the replication processes and steal token-signing certificates by simply accessing the ADFS server over the standard HTTP ports and decrypting them via domain user credentials. This can allow them to perform “Golden SAML” attacks with singular access to the corporate network as the only requirement.
This overarching security problem with ADFS is so pervasive that many organizations are migrating away from ADFS and AD to modern cloud solutions that provide all of these necessary features in one secure platform.
4. It doesn’t allow file sharing or printing via print servers
Windows Server file sharing and AD are principal components that users in on-prem setups often use to access shared drives and print servers. However, as organizations shift to cloud-based and remote work environments, employees need their work drives and print servers to be naturally converted to shared folders while online.
The cloud-based shared folders should be governed by the same security policies that AD implements in an on-prem environment. While ADFS extends identities beyond the corporate perimeter, it doesn’t allow users to have shared access to files and print servers.
Without ADFS-enabled file and print sharing mechanisms, users may resort to consumer cloud-based file sharing solutions such as Dropbox or Google Drive. However, this approach may lead to many questions, including:
- Where, exactly, is the organization’s data stored?
- Which users have access to the organization’s data?
- What will users do with the organization’s data?
This issue with ADFS can lead your organization down a path that you don’t want to go. It opens the organization up to internal and external threats as well as compliance violations if data is not securely stored.
5. ADFS doesn’t support a heterogeneous IT landscape
It’s apparent that modern devices, applications, and other IT resources provide organizations with immense benefits via an enhanced user experience and improved productivity. What was once a Windows-dominated IT environment has now morphed into a heterogeneous landscape with many SaaS applications running on Linux and macOS platforms.
Unfortunately, ADFS is ill-equipped to natively deploy and control access to many of these resources, which is a huge limitation because there are so many diverse IT resources out there. This explains why many modern organizations are transitioning to a cloud-based alternative that provides complete identity and access management with single sign-on capabilities to virtually all IT resources. This type of platform fits perfectly into today’s modern IT environment.
A Modern Solution to the ADFS Problem
Many organizations still have some on-prem infrastructure as well as cloud-based resources that make up their IT environment. This means that they need a flexible IAM and single sign-on solution that allows for complete identity control while connecting users to all of the IT resources they need. The JumpCloud Directory Platform houses all of the capabilities you need to manage users regardless of location, protocol, platform, or provider.
Whether you’re looking to replace AD and ADFS or you want to extend AD using JumpCloud, this modern solution will work for you.
Try JumpCloud’s Solution Free
Test out JumpCloud’s modern, simplified IAM solution with True SSO™, and see if it’s right for your organization! Create a JumpCloud Free account to access the entirety of the platform for free, up to 10 users and 10 devices. Along with that, enjoy 24×7 in-app support — free for the first 10 days!