By Kayla Coco-Stotts Posted December 20, 2019
When comparing Active Directory® (AD) and single sign-on (SSO), why is AD plus SSO the norm for most IT organizations, not AD or SSO? It’s a question with a complicated answer (and one that hints at the rapid transformation of the IT landscape), but IT admins don’t have to be limited by this comparison.
Now, admins can discover the true future of SSO: leveraging one set of credentials for every IT resource.
Active Directory vs. SSO
For IT admins working in modern environments, it’s clear they need both Active Directory and a web application SSO solution because each one addresses a different portion of the problem.
AD works as the core directory service, while SSO add-ons allow users to leverage a single set of credentials for a variety of web applications. The two work well together to grant authoritative access to web applications while maintaining a core identity provider.
What is Active Directory and SSO?
Taking a step back, Active Directory quickly became the de facto standard in identity and access management after its introduction two decades ago. AD established itself as a directory service that managed user authentication and authorization to Microsoft®-centric systems and on-prem networks.
As web applications started to appear, IT admins struggled to extend AD identities to Software-as-a-Service (SaaS) resources hosted in the cloud. These included applications and productivity suites like G Suite™, Office365™, Salesforce®, and Dropbox, which were not natively designed to integrate with the on-prem Windows network.
Microsoft did implement a solution for connecting to these apps called Active Directory Federation Services (AD FS), which federated identities to cloud-based applications. However, AD FS proved to be costly for admins because it was housed on-prem, making it difficult to implement and ultimately required additional work to maintain and came with extra licensing costs.
In response to the growing need for user management in the cloud space, a new generation of IAM solutions appeared in the form of web application single sign-on, first on-prem and then from the cloud. These cloud-based SSO solutions came to be known as the first generation of Identity-as-a-Service (IDaaS).
Where before there were on-prem SSO solutions like AD FS, first generation IDaaS allowed IT admins to bridge authentication and authorization to the cloud ‘as-a-Service’. This provided employees with a manageable and concise way to accomplish daily work through a number of web-based applications because they only needed to use one set of credentials to log in. And, in combination with AD, SSO solutions bridged the functionality of directory services to cloud-based resources.
How does SSO work with AD?
First generation IDaaS solutions were not designed to be core identity providers, prompting IT admins to use SSO in conjunction with AD. Admins layered SSO solutions on top of their directory service.
This method helps admins bridge their Windows-centric directory service to cloud-based web applications, but it further engrains Microsoft in IT environments. This hinders the ability for organizations to include more services and systems like Mac® and Linux® machines, as well as AWS®, as it encourages identity lock-in with Microsoft.
More recently, Microsoft introduced a cloud-based user management service called Azure® Active Directory (Azure AD or AAD) to work in conjunction with on-prem Active Directory. Azure AD is basically a user management platform for Azure infrastructure and a web application SSO solution.
Similarly to first generation SSO solutions, Azure AD needs AD to fully sync users with their cloud and on-prem IT resources. This approach still misses non-domain bound IT resources (outside of web apps) and non-Windows solutions, requiring additional AD add-ons that further embed organizations in on-prem infrastructure.
Is There Another Way?
Although the Active Directory-plus-SSO approach aids admins in extending toward the cloud, it’s not the only option. Instead of operating with a layered approach to directory services, admins can leverage True Single Sign-On™ for every application, network, and system their users may need to succeed.
With True SSO, IT admins can control user authorization and authentication through a single interface. For users, this means that they can truly instantiate one set of credentials for the entirety of their productivity needs. Additionally, admins are now able to extend credentials that would have been previously encapsulated entirely in AD to a host of solutions without having AD around. True SSO gives admins control over directory services and SSO, which allows them to grant users access to everything, regardless of location, operating system, or application.
For those that just can’t let go of AD, JumpCloud® offers a way for IT admins to take their existing AD user base and extend it to the cloud and non-domain bound IT resources, not just web applications as traditional SSO solutions do. Admins either use AD as the source of truth for an identity or have JumpCloud be the source, yet still integrate tightly with AD. The result is that IT admins can still keep AD around for their on-prem Windows resources, but extend one identity to everything a user may need.