We regularly hear from customers that want to leave Microsoft Active Directory Federation Services (ADFS). This is understandable. It’s not like sysadmins have tons of free time after they’ve gone through the long process just to setup ADFS, then struggle with out-of-date ADFS documentation, or wade through long guides on how to troubleshoot ADFS.
It’s a huge pain. “Mind-numbingly painful”, as one admin put it to us recently.
These days, IT is increasingly expected to get the job done, and more quickly with fewer resources. Identity is no different, and cloud services offer the best path forward.
Here’s what I learned after talking with four of our customers about their journey to migrate off ADFS and onto cloud identity and access management. These included a diverse set of organizations: a large construction materials firm, a global industrial manufacturer, and a mobile enterprise SaaS company, and a university.
Concern with maintaining ADFS on-premise infrastructure
Mustafa Ebadi, Senior Vice President of Customer Experience & IT at mobile enterprise management company, SOTI, described their on-premise challenge, “We’re a very forward-thinking company, and as part of our strategy we seek to leverage cloud as much as possible; ADFS would have required me to have a server in-house. ADFS needs consistent management, maintenance and support, and if there are issues or it goes down, we have to take care of it. Finding system admins to do all this isn’t easy, since they are in high demand.” The system integrator at another company — a large construction materials firm — described their infrastructure situation this way, “A key attraction of OneLogin was that it was an alternative to expanding or scaling up our ADFS infrastructure. Bringing in OneLogin has been a big deal for systems integration. It’s saved us a tremendous amount of time.”
Not only did this reduce risk, it saved the firm time and money as well. “Putting the infrastructure of this function in the hands of people who do this for a living, that’s where the savings are.”
Application integration can be painful, slow and expensive
This same construction materials firm used an internal ADFS setup to connect four cloud-based apps. However, connecting each new app took several hours for SAML integration, and with the need to roll out more apps with multi-factor authentication (MFA), they required a more agile solution: OneLogin.
Even with Microsoft’s own cloud apps, ADFS can be a challenge to integrate. Matt Irvine, Director of Media Services at the University of Mary Hardin-Baylor, says, “With Office 365, trying to spin up ADFS and the directory sync tool… it’s just mind-numbingly painful. But with OneLogin’s one-click install, we were in and out, and done with the implementation in just a matter of minutes.”
Agility, Architecture and 24x7 Availability
On moving identity to the cloud, Ebadi notes, “With an IAM provider, they are taking care of responsibility for all the back end. If there are any issues or support needed, they take care of it. Compare that to the cost of resources, commitments and support hours [for ADFS]; and you have to do constant maintenance patching. There’s a day and night difference when you are actually doing it online versus traditional ADFS.”
Prior to OneLogin, SOTI employees didn’t know which applications they could use working remotely, so felt they couldn’t be as productive when traveling or working from home. “I had one user come in and say, ‘I can’t believe that I haven’t used VPN in such a long time, because I can do all my work by just using OneLogin.’ Now, I have all my applications on a single pane of glass. I can be sure that it’s secure, I can access it any time I want. As a user, that’s the beauty of it for me, and I absolutely love it,” says Ebadi.
At Chart Industries, a global manufacturer of industrial and liquified natural gas systems, enterprise infrastructure manager Nate Hauenstein talks about their ability to rapidly bring on new apps to serve their users, and to maintain global operations running with OneLogin cloud IAM.
“Being able to ramp up an application like Chrome River, it was invaluable to have the OneLogin Professional Services team on the call with the vendor; in less than one hour, we were up and running with over 500 employees using the app. And we moved on to our next project. That would’ve never happened using Microsoft ADFS or any of the other products out there,” observes Hauenstein.
“Recently we completely shut down our global data center, packed it up and shipped it four hours down the road, then brought it back online, with zero interruption to any of our cloud services. If we had chosen ADFS with on-prem hosting, even with hybrid connectivity, it would’ve been down, along with email and every other app that weekend. Email continued to flow, Skype, Salesforce, SuccessFactors, all services worked, because we were able to build out this high-availability SSO architected solution,” explains Hauenstein.