Cloud-based applications provide a variety of benefits such as flexibility, scalability, and low costs, which makes them extremely popular in businesses. In 2021, the average number of software-as-a-service (SaaS) apps used in an organization was 110, which means 110 different places that users have to sign in.
The high adoption rate of SaaS cloud apps during the mid 2000s and the need for streamlined access to them is what led to one of two things in organizations:
- Creating an identity and access management (IAM) strategy from scratch to allow users to securely and efficiently connect to these web apps that lived outside of the domain.
- Rethinking an existing IAM strategy, because it wasn’t comprehensive enough to cover user access to non-Windows and non domain-bound IT resources.
This was where web application single sign-on (SSO) tools came into the mix. SSO allowed users to easily access SaaS applications, federated through their on-prem directory credentials, which had the effect of streamlining IAM. However, at the time, SSO tools had to be integrated with Microsoft Active Directory (AD), the reigning directory solution in traditional Windows-based IT environments, to accomplish this type of integration. SSO tools had to be layered on top of AD, because AD is what stored identities — SSO tools simply pushed those AD identities out to web apps during the sign in process.
A variety of SSO providers surfaced during the same period of time, and Microsoft even came out with their own web app SSO tool — Active Directory Federation Services (ADFS).
Many organizations assume that ADFS is still one of the best ways to integrate off-premise applications and AD because both tools are Microsoft-based. However, not all AD integrations are created equally. To decide if it’s right for your organization, learn about the limitations of ADFS and then evaluate its pricing to see if Microsoft ADFS fits into your IAM vision.
In this article, we’ll go over all of the costs you need to consider when evaluating Microsoft ADFS pricing as well as another cost-effective SSO and IAM solution that might better suit your needs.
Costs to Consider When Evaluating Microsoft ADFS Pricing
While Microsoft has always marketed ADFS as a “free” solution, this isn’t totally true. Below are some costs you have to consider when assessing ADFS pricing.
1. Hardware Costs
You need to set up the following servers to leverage ADFS:
- ADFS server – This is a primary server that authenticates users and issues claims. The ADFS server must connect to the Domain Controller (DC) to authenticate users from multiple domains.
- ADFS proxy server – The ADFS proxy server resides in the organization’s perimeter or demilitarized zone (DMZ). Its role is to receive and forward requests to the ADFS servers not connected to the internet.
- ADFS configuration database – The ADFS configuration database stores the relying party trust, certificates, service configurations, claim provider trust, and claims description. You can store the entire database in an SQL database instance or Windows Internal Database (WID).
- Network load balancing server – For scalability and high availability services, you need to deploy a network load balancer in front of the ADFS server or ADFS proxy server.
Therefore, at a minimum, you need four servers to get ADFS up and running. If you want to connect to a service such as Microsoft 365 via ADFS, you also need to install a DirSync server, upping the count to five servers, not including your core domain controller infrastructure. And, when you factor in other associated hardware costs such as hosting, security, monitoring, and utility bills, these expenses quickly balloon.
2. Software Licensing Costs
A license isn’t required to set up ADFS if you’ve already set up AD and users already access Windows servers. However, you also need an ADFS configuration database to store all parameters that establish federated identity management. To store such a database, you need either a Microsoft SQL Server database or WID included with Windows Server 2008 or higher versions.
Because of the SQL Server, you must ensure that you get the appropriate licenses to use ADFS. Microsoft provides two licensing types: core-based licensing and Windows Server + client access licensing (CAL). In a core-based licensing approach, each core in the processor needs a core license. Windows Server + CAL, in contrast, requires that an operating system environment (OSE) running SQL Server must have a license.
Because the options for SQL Server licensing are broad, organizations can find it extraordinarily complex to compute the exact costs involved. For example, there are thousands of license and subscription options that can be considered, creating significant hidden costs within ADFS setups.
3. Maintenance costs
The process of commissioning, configuring, and maintaining ADFS servers takes time and effort. Besides the hardware and software licensing costs, organizations must also consider maintenance expenses when evaluating Microsoft ADFS pricing. Some of these costs include:
- IT administration – Because ADFS is an on-premise service, an organization using it needs to hire in-house IT administrators to assume complete ownership and management over it. But, hiring experienced IT administrators can be challenging for organizations with smaller budgets. Plus, on-prem services don’t make much sense if you have a remote or hybrid work environment.
- Software support contracts – These include the license fees for upgrades or renewals.
- Hardware upgrades – These include expenses for expanding CPU speed, RAM, and hard disk space.
- Scalability costs – Adding a new application via ADFS requires the same installation, configuration, and maintenance level as the original applications. This additional work and subsequent costs can increase expenses in instances where the organization adopts more cloud-based applications.
A Cost-Effective Alternative to ADFS
While ADFS initially solved a problem and helped users connect to non-domain bound apps, in today’s modern IT environment, there are far more IT resources out there that need to be managed. This poses a significant challenge for organizations using ADFS or any other web app SSO point solution. Not only that, but Microsoft ADFS pricing adds up quickly when you factor in all of the costs associated with implementing and maintaining AD, ADFS, and everything else you need for them to both run smoothly.
A better solution? The JumpCloud Directory Platform is a cloud-based IAM and SSO solution that includes a wide variety of security and productivity features, plus it’s more cost-effective than AD and ADFS.
Unlike ADFS, where you need to install at least four servers not counting the core domain controllers themselves, JumpCloud® provides two lightweight alternatives:
- Replace AD and ADFS with the JumpCloud Directory Platform and its built-in True SSOTM capabilities to save time and money, enjoy increased flexibility, and transition to the cloud. This option has no servers for you to maintain.
- Extend AD with JumpCloud to utilize the cloud-based True SSO capabilities and more, while maintaining your on-prem directory. You only need to manage your core DC, and JumpCloud does the rest. You can even manage many AD functions from JumpCloud, lightening your management load.
With no need for dedicated servers or complex on-premise setups, the JumpCloud Directory Platform is perfect for cloud-first organizations that don’t want to incur extra costs associated with ADFS or those that are shifting to the cloud and already have AD/ADFS. What’s more, JumpCloud uses a subscription-based pricing model where you only pay for services you need, and you can add or remove features as your organization scales and evolves. Plus, everything you need for complete identity and access management is included in one platform, eliminating the need to purchase and manage a handful of disparate tools.
Try JumpCloud’s Solution Free
Test out JumpCloud’s modern, simplified IAM solution with True SSO while eliminating the need for AD + ADFS, and see if it’s right for your organization! Create a JumpCloud Free account to access the entirety of the platform for free, up to 10 users and 10 devices. Along with that, enjoy 24×7 in-app support — free for the first 10 days!