The genesis of this post was this image:
(This one was about how functionality is moving to Azure AD e.g. Windows 10 Join or Hello).
Or this presentation:
“Goodbye ADFS, Hello Modern Authentication!”
(Which is somewhat confusing because “modern authentication” is all about OpenID Connect and ADFS on Server 2016 does support this. Just for the record, the original article is in Dutch but it references “the various (new) authentication options that Microsoft offers. ADFS, Password Sync, Pass-through Authentication”).
Or this article from Okta:
“Avoid the Hidden Costs of AD FS with Okta”.
As per the article, to have a HA system, you need two instances of ADFS WAP and two instances of ADFS.
This is not a trivial investment.
Okta’s take on this is that you can avoid all this infrastructure by moving to the cloud. That’s true but this applies to any IDaaS product e.g. OptimalIDM, Ping, Azure AD, Auth0 etc.
However, the main reason for a number of posts arguing that ADFS is dead is Azure AD’s pass-through authentication feature.
Essentially, you install an agent on-premises and that allows Azure AD to authenticate directly with AD.
This can be combined with seamless SSO
This automatically signs users in when they are on their corporate devices connected to your corporate network.
And there’s also password hash synchronization.
This is a feature used to synchronize user passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. You can sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance.
And of course, there is also federation.
To help you pick the correct solution, refer to this.
Federation = ADFS.
The article also calls out areas not covered by the above where you do need ADFS.
- Sign-on using smartcards or certificates
- Sign-on using on-premises MFA server
- Sign-on using third-party authentication server
- Multi-site on-premises authentication solution
The latter IMHO is the reason most companies need to keep ADFS. Some of these integrations could be done via Azure AD via adding external applications to Azure AD. If the application is not in the list and you want to add it and you have Azure AD Premium, you can add it via SAML as a custom application.
(I wrote up an example here).
However, some custom applications have claims and requirements that can’t be met by Azure AD. Also, it has to be manually configured. There is no option to import metadata. ADFS has an advantage here in that it supports claims rules, a rich set of scripts to dynamically add / update specific attributes. Azure AD does not have this.
Also, some companies either cannot or will not move to the cloud.
As per this, other reasons are:
- Advanced claim transformations such as transformation of attributes, regular expressions, or claim extractions from LDAP, SQL Server, or custom attribute stores
- Token customisations such as SHA256 signatures, specific NameID policies, etc.
- Support for SAML 1.1 tokens for WS-Federation applications.
- Custom triggering of multi-factor authentication rules that are not supported by conditional access.
- Custom authorization logic that can’t be modeled as a security group or conditional access policies.
- Support for authentication methods other than username/password e.g. IWA / smartcards.
- Use of 3rd Party MFA providers such as RSA SecurID, Vasco, YubiKey, etc.
- Support for auto-registration of Windows 7 and 8.1 domain joined devices for device-based conditional access.
And from this article:
- If you want the authentication to take place on-premises.
- If you want to create a trust between SharePoint on-premises and Azure AD and you don’t have Azure AD Premium.
In a nutshell, if you have on-premises AD and you have “simple” cloud requirements e.g. Office 365 only, then, yes, pass-through authentication makes perfect sense and you don’t need ADFS. That doesn’t hold true for some of the more “complex” scenarios.
ADFS being server based doesn’t get the update cadence that you can deliver via the cloud. This probably contributes to the impression that it is “dying”. Offhand, these changes are the only ones I can think off recently.
As Mark Twain said when he heard rumours that he had died:
“The reports of my death have been greatly exaggerated.”
The same is true of ADFS.