An alternative to ADFS
with UserLock SSO & MFA

SSO & MFA using On-Premise Microsoft AD Accounts

SSO Cloud Applications UserLock

UserLock’s value proposition is relatively straightforward: it helps secure on-premises Windows AD Server accounts while providing granular control over multi-factor authentication (MFA), single sign-on (SSO) and more.

Admins can enforce these policies across all connection types—even those leveraging SAML — meaning all users get secure and easy access to cloud applications with existing Windows AD credentials.

UserLock SSO Key Advantages for IT Admins

Reduce Complexity
Continue to use Windows Server AD as the authoritative user directory.

  • No need to create a new directory for Users' ID
  • Effortlessly scale SSO across all AD users
  • Easy access to all cloud resources for improved user productivity

Elevated Security
Stop password sprawl from several different cloud applications.

  • Easily combine with affordable multi-factor authentication
  • Leverage your existing investment in AD security
  • Authentication is still performed on premise even for remote user access

Why UserLock over ADFS?

Microsoft ADFS, while reasonably popular, has a number of dependencies that help it work properly. Properly assembling those moving parts together can be somewhat challenging.

First, there’s the SSL certificate—which helps service HTTPS requests to the federation service. You also need a token signing certificate, an encrypting/decrypting certificate, ADFS domain controllers, a configuration database (Windows Internal Database or SQL Server), a DNS server, and a load balancer.

Furthermore, any interruptions to these services can cripple ADFS’ core functions.

For example, any applications tapping into ADFS need that signing certificate and key for ADFS to trust them. Microsoft actually warns that users who self-manage their certificates must back them up and make them independently available. Otherwise, ADFS can become unstable. In a general sense, any client-server connection errors can impact user access.

According to Microsoft, these are some key ADFS troubleshooting topics:

  • Event logging and auditing
  • Certificates
  • SQL connectivity
  • Integrated Windows authentication
  • Integration with Azure AD

Additionally, third-party services can experience issues with ADFS’ built-in single sign-on (SSO) functionality—which can get a little clunky. It’s also worth noting that ADFS is a non-essential supplement to Azure AD in many cases. Microsoft primarily introduced it to tackle newer authentication protocols.

That said, some have experienced latency issues with their proxy servers while leveraging ADFS with older authentication protocols. Those using legacy solutions might look elsewhere.

Lastly, ADFS’ communication with domain controllers does incur a notable resource cost. ADFS introduces added load within AD itself, which can prevent other requests from processing.

UserLock Does Authentication Better

It’s easier for UserLock to maintain rock-solid uptime.

UserLock does have its associated moving parts that handle connectivity to Active Directory. After all, AD isn’t a local-only utility. However, there are fewer components that can fail.

Additionally, UserLock offers expanded functionality beyond what ADFS offers.

UserLock was designed from the ground up to integrate with Active Directory, ensuring that features like multi-factor authentication (MFA), SSO, and contextual access management work seamlessly.

UserLock supports all TOTP authenticators (E.g. Google, Microsoft, LastPass etc…), programmable hardware tokens, like YubiKey and Token2 and both time-based and HMAC-based one-time passwords.

Organizations can distribute their preferred array of access controls without sacrificing control or convenience.

With UserLock, admins get all relevant access controls within a use-friendly GUI.

This is inherently more approachable than PowerShell modules, requires less specialized knowledge, and is highly efficient. Drop-down menus, toggles, and fields make it easy to select from sets of default configurations—or add an additional level of granularity to your access-management process.

Multi-Factor Authentication

UserLock helps track users regardless of their device OS or access protocol. The list-style presentation is color coded, icon-rich, and easy to quickly scan.

For example with SSO connections to the cloud:

SSO for Windows Server Accounts

UserLock’s MFA implementation is also unique, in that it’s functional while offline.

If you host while on-premises, there’s no need for an active internet connection. Conversely, remote users enjoy their own solution called UserLock Anywhere. This feature prompts your machine(s) for MFA without requiring them to be on the corporate network. UserLock also offers MFA for Microsoft 365 and RD(P) gateways.

A Closer Look at Access Management with UserLock

This is another area where UserLock’s flexibility shines over ADFS. Admins can control access through a variety of mechanisms:

By taking context into account, UserLock will intelligently authorize, deny, or limit user access following authentication.

  • Based on machine and device – dictating how AD users log on according to IP address, location, department, or workstation OS
  • Based on hours – according to total session length, time quotas, and company hours of operation
  • Based on session type – including terminal sessions, those using RADIUS or RRAS, or IIS
  • Based on concurrent login caps and initial access points

This happens automatically without manual intervention, though UserLock allows admins to make granular changes as needed.

In addition to controlling all login attempts to your Windows AD domains—you can even audit or report this activity as necessary.

Want to know who’s logged in across which services? The UserLock dashboard makes this easy by displaying all user sessions at a glance. However, there can come a time where user activity raises red flags. For situations like these, you can configure UserLock to alert key team members to suspicious behavior. It’s possible to quickly shut down access thereafter to prevent breaches.

Getting started is simple

Installing UserLock is possible on any Windows Server 2003+, either physical or virtual. It’s then easy to deploy on selected machines via user agent. These configurations are available with the application, permitting easy click-and-activate functionality across devices on your network. A powerful console is available for in-network access control. You can even protect user, group, or organization unit accounts as needed.

UserLock is a Complete Solution

UserLock offers protections against the most common security threats to both on-site and remote access. According to a 2020 study over 40 million Microsoft users’ actively reused passwords, 50% of IT professionals reuse passwords across workplace accounts, and 49% share passwords with colleagues.

So if you’re looking to securely scale single sign-on and jumpstart productivity, UserLock is the logical choice. Forget creating new directories for user IDs. The combination of SSO and MFA offers unrivaled protection against unwanted access—minus the confusion.

As a fully-featured platform for Windows AD access management, UserLock provides a host of features for power users and novices alike—without jumping through the complex, technical hoops prior to setting up ADFS. UserLock is a formidable alternative that will reach more devices and satisfy more company IT requirements.

Download this White Paper in PDF

PDF Version - 270 KB

See for yourself how easily UserLock SSO works.

Download a free trial Book a demo