As organizations begin to consider identity and access management (IAM) tools, they find that there are many point solutions available, as well as a few more comprehensive solutions – i.e. platforms. The point solutions focus on very specific pieces of the IAM puzzle, rather than the big picture, one example being SSO. With a plethora of one-off solutions out there, plus the existence of more holistic directory services, making a choice for your organization can be difficult and confusing.
What is Active Directory?
Microsoft Active Directory is the historical, market share leading, on-prem commercial directory service. Many IT organizations rely upon Active Directory as their core identity provider (IdP) for authenticating resource access to Windows-based systems and applications. AD is offered as a complementary facet of Windows Server.
Alongside vanilla AD, there are a host of added services available from Microsoft which, when combined, create the AD domain. The domain traditionally consists of any on-prem, Windows-based systems and applications managed through Active Directory.
As Microsoft’s core identity and access management solution, naturally, AD works well in traditional Windows-centric networks. However, AD struggles when non-Windows or cloud-based resources come into play. A few common examples of resources that Active Directory struggles to connect and manage include Google Workspace, AWS, Salesforce, and Dropbox. Of course, the problem gets worse as IT organizations consider the use of macOS and Linux systems, WiFi and VPN networks, on-prem file servers, and much more.
The Cloud Problem
The rise of the internet brought many innovations to the IT industry, one of which was the emergence of web applications. This event presented a major drawback for AD: web apps, which require identity management for proper access and security, exist outside of the traditional domain. To deal with this problem, Microsoft added another solution to the list of AD add-ons, called Active Directory Federation Services (AD FS), in 2003.
AD FS uses the SAML 2.0 protocol to connect an AD identity to a web application. By doing so, AD FS widens the boundaries of the domain to include some web apps, making identity management considerably easier for IT organizations.
However, AD FS proved to be costly for admins because it was housed on-prem, making it difficult to implement, and it ultimately required additional work to maintain on top of added licensing costs. Not only that, but AD FS comes with hidden maintenance costs, adds unnecessary complexity to the IT landscape, and comes with security risks if used straight out-of-the-box. Add to that the plethora of other AD solutions needed to completely manage the entire group of IT resources end-users need to access, and the complexity increases dramatically.
What is Single Sign-On (SSO)?
Given AD’s struggles with resources outside of the domain, there were a handful of third-party vendors that decided to create solutions to help extend AD identities to cloud-based and/or non-Windows resources. One particular sector of vendors focused specifically on web applications. Like AD FS, these vendors leveraged SAML 2.0 to extend AD identities to the cloud and created SSO tools, also known as first generation Identity-as-a-Service (IDaaS) solutions.
Coincidentally, this type of SSO solution hit the market at almost the exact time as AD FS. Since Microsoft has always emphasized expansion in the computing space, SSO vendors sharpened their product, giving AD’s native tool a run for its money. However, most of the competition for AD FS early on was with other on-prem, enterprise-class solutions. Over time, web application SSO solutions shifted to being delivered from the cloud.
As a result, today’s SSO solutions are quite refined, and they can be used as add-ons to a core directory service or as built-in functionality within a modern directory platform. The latter option eliminates the need for IT teams to manage an on-prem directory service like AD as well as a separate web app SSO solution — if you can have both under one platform with more flexibility and functionality, why would you choose anything else?
Comparing AD and SSO
With those definitions in mind, let’s examine AD and SSO side by side. AD and SSO are very different; one is an on-prem directory service — the authoritative source of identities, the other a cloud-based, web app identity extension point solution that federates the identities from a core directory to web applications.
AD FS and SSO, however, are very similar. Both solutions federate on-prem identities to cloud applications, filling a great need in modern identity management. Their core differences lie in the fact that AD FS exists on-prem while most modern SSO tools now live almost exclusively on the web.
Microsoft also attempted to fill the role of AD FS on-prem with their Azure Active Directory in the cloud. Azure AD is primarily a user management tool for identities in the Azure cloud suite, as well as Microsoft 365 (formerly Office 365), and it also features limited SAML SSO capabilities akin to those of AD FS and other web application SSO point solutions. This approach still misses non-domain bound IT resources (outside of web apps) and non-Windows solutions, requiring additional AD add-ons that further embed organizations in on-prem infrastructure. Even Microsoft’s reference architecture promotes both AD on-prem and AAD in the cloud along with connective technology called Azure AD Connect, showcasing how entrenched (both technologically and financially) an organization must remain within the Microsoft ecosystem to leverage these capabilities.
The Big Question: Do You Need Both AD and SSO?
For admins working in modern IT environments, it’s clear that you need both a core directory and an SSO solution because each one addresses a different issue. However, there is a way to maintain a combined solution of a modern core IdP with SSO solutions that allows users to leverage one set of credentials to access a wide variety of apps and resources.
So, the short answer to the question of whether you need both AD and SSO is no — you don’t specifically need both AD and an SSO solution. There are already far too many tools and pieces of software that organizations have to manage to stay current with the world around them. This is a problem that can be solved by implementing one cloud-based directory solution that seamlessly federates core identities to other IT resources.
This approach is AD reimagined for the modern era. It’s designed to not only act as a unified core IdP and an SSO solution, but it also provides a variety of other useful capabilities (i.e. MFA, MDM, IGA, PAM, etc.).
Our solution that combines directory services and SSO is called the JumpCloud Directory Platform, and it provides IT organizations with the ability to manage their users, systems, applications, networks, storage systems, network infrastructure, and more, all from the cloud.
As such, this cloud directory platform gives IT admins a couple options:
- If you’re attached to AD: use JumpCloud® to extend AD without the need for a separate SSO point solution/AD FS (and get all of the other functionality that comes with JumpCloud which eliminates the need for even more point solutions such as MDM, MFA, PAM, and more)
- If you’re not using AD or you’re ready to transition away from it: use JumpCloud as a replacement for AD
The beauty of a modern directory solution like this is that it’s flexible and can be molded to fit into your environment however it makes sense to you.
With a cloud directory platform, IT organizations can use the cloud to push AD identities to non-domain bound resources like web applications or non-Windows systems (macOS, Linux), all while maintaining their existing on-prem infrastructure. This AD Integration capability keeps AD within the environment for those resources that rely on AD, while giving admins the flexibility to leverage non-Windows resources with one user identity.
With this approach, admins can either use AD as the source of truth for an identity or have JumpCloud be the source, yet still integrate tightly with AD. The result is that IT admins can still keep AD around for their on-prem Windows resources that need it, but extend one identity to everything else a user may need including modern resources such as web applications, cloud infrastructure, mobile devices, Mac/Linux systems, and more.
As a full reimagination of AD, a cloud directory platform fills the roles of AD and SSO in an organization. IT admins can use a cloud directory platform to manage users, systems (Mac, Windows, and Linux), cloud apps and infrastructure, file servers, and more, with none of the on-prem hardware or technical implementation/integration challenges. This comprehensive identity management approach can be leveraged remotely from a single cloud-based admin console.
Instead of operating with a layered approach to directory services, admins can leverage True Single Sign-On™, through the JumpCloud Console, for virtually every IT resource their users may need to be successful and productive.
With True SSO, IT admins can control user authorization and authentication through a single interface. For users, this means that they can truly instantiate one set of credentials for the entirety of their productivity needs. Additionally, admins are now able to extend credentials that would have been previously encapsulated entirely in AD to a host of solutions without having AD around. True SSO gives admins control over directory services and SSO, which allows them to grant users access to virtually anything, regardless of location, operating system, or software type.
Take the first step by testing out JumpCloud’s modern, simplified identity and access management solution. Create a JumpCloud Free account to access the entirety of the platform for free, up to 10 users and 10 devices. Along with that, enjoy 24×7 in-app support free for the first 10 days!