Budgeting for Active Directory®: Identity Federation
When looking to acquire Microsoft’s® Active Directory® product, most IT administrators will initially smile. The cost: “free”. Active Directory and domain control services at large are features that may be enabled on any Windows Server. But as most seasoned Windows admins know, that ‘free’ price is far from the true cost of ownership to run a directory within their organization. The full extent of the hidden costs is often underestimated. When it comes to complex IT infrastructure such as directory services, it’s easy to predict one number for the total cost, only to start implementing the software and realize that the projections do not cover the full cost. This is only exacerbated when limitations within the solution require you to purchase additional solutions to supplement missing functionality. In our previous blog post on how to budget for Active Directory, we gave an overview of the underlying costs briefly. In this blog post, we will more closely inspect the cost of identity federation with Active Directory.
Identity Federation has been a feature of Active Directory since the early 2000’s, launching with Windows Server 2003. Called Active Directory Federation Services (ADFS), it “uses a claim-based access-control authorization model to maintain application security and to implement federated identity” (Wikipedia). Essentially, what ADFS can do for a group of organizations is allow them to share access to resources like applications across their respective networks, all through the establishment of a ‘trusted’ identity relationship.
Active Directory’s role in this is to act as the identity provider – an extremely functional tool, but a tool that comes at a high price.
Active Directory Identity Federation Requirements
There are a lot of ways to describe federation. The initial form of AD federation pre-dated SAML, and it functioned through the replication of identities in a domain controller across organizations and their disparate domain controllers. The current form of AD federation is, in effect, SAML-based identity assertions to various service providers, most commonly web-based applications. Not unlike Mac or Linux binding providers, there’s a whole world of SAML-based SSO providers that will gladly glue themselves onto your Active Directory Domain Controllers. There are enterprise players that are capable of providing this, but it’s important to remember that it comes at an additional cost.
To determine this additional expense, there are a few factors you need to take into account. The first factor to consider is the cost of federating AD credentials out through a third party service. AD doesn’t usually connect well to web-based applications on it’s own, so a third party SSO vendor is required to connect user identities with their cloud apps. This is an added cost that needs to be considered
The next factor to look at is ADFS. If you choose to go the heterogeneous ADFS route, there are a lot of other costs that you need consider. You need multiple ADFS servers, and various web proxies to talk between them. Additionally, if you want to ensure that there is no downtime, you will need to factor in the extra servers for redundancy, monitoring tools, and security. These are all variables that can lead to some quite pricey additions to the budget.
The other variable here is DirSync (now called Azure AD Connect), which is Microsoft’s utility that will synchronize your on-premise Active Directory with their cloud based Azure AD accounts. This is yet another variable that will run you additional costs, requiring you to factor this feature into your budgeting. The server requirements for Azure AD Connect are fairly comprehensive and need close evaluation for budgeting. Don’t forget about redundancy requirements either. On top of that, if we assume that you’re keeping completely tied to the Microsoft stack, then you will also need to factor in the time and cost of having all of these integrations between your AD service and your external services like ADFS plus Azure AD. Microsoft’s integrations are all very tight, which adds convenience in some areas, but they are still aspects that will create additional cost.
Active Directory Costs: More Hidden Than Shown?
If you would like to learn more about budgeting for the Identity Federation services of Active Directory, give us a shout. Our team can discuss these aspects in more detail with you. In addition, they can also provide our AD TCO cost calculator. This enables you to discover what your true costs would be. Lastly, check out the rest of our blog series on the total cost of AD. Identity Federation is just one of the many areas that will create additional expenses that you may not have planned for.
This is a Security Bloggers Network syndicated blog post authored by Jon Griffin. Read the original post at: Blog – JumpCloud