An alternative to ADFS with UserLock SSO & MFA

UserLock’s value proposition is straightforward: it helps secure on-premises Windows AD Server accounts while providing granular control over multi-factor authentication (MFA), single sign-on (SSO) and more.

SSO & MFA using on-premise Microsoft AD accounts

With UserLock, admins can enforce these policies across all connection types, even those leveraging SAML. This means all users get secure and easy access to cloud applications with existing Windows AD credentials.

Why UserLock over ADFS?

Microsoft ADFS, while reasonably popular, has a number of dependencies that help it work properly. Properly assembling those moving parts together can be somewhat challenging.

First, there’s the SSL certificate—which helps service HTTPS requests to the federation service. You also need a token signing certificate, an encrypting/decrypting certificate, ADFS domain controllers, a configuration database (Windows Internal Database or SQL Server), a DNS server, and a load balancer.

Furthermore, any interruptions to these services can cripple ADFS’ core functions.

For example, any applications tapping into ADFS need that signing certificate and key for ADFS to trust them. Microsoft actually warns that users who self-manage their certificates must back them up and make them independently available. Otherwise, ADFS can become unstable. In a general sense, any client-server connection errors can impact user access.

According to Microsoft, these are some key ADFS troubleshooting topics:

• Event logging and auditing

• Certificates

• SQL connectivity

• Integrated Windows authentication

• Integration with Azure AD (now Microsoft Entra ID)

Additionally, third-party services can experience issues with ADFS’ built-in single sign-on (SSO) functionality—which can get a little clunky. It’s also worth noting that ADFS is a non-essential supplement to Azure AD in many cases. Microsoft primarily introduced it to tackle newer authentication protocols.

That said, some have experienced latency issues with their proxy servers while leveraging ADFS with older authentication protocols. Those using legacy solutions might look elsewhere.

Lastly, ADFS’ communication with domain controllers does incur a notable resource cost. ADFS introduces added load within AD itself, which can prevent other requests from processing.

UserLock does authentication better

It’s easier for UserLock to maintain rock-solid uptime.

UserLock does have its associated moving parts that handle connectivity to Active Directory. After all, AD isn’t a local-only utility. However, there are fewer components that can fail.

Additionally, UserLock offers expanded functionality beyond what ADFS offers.

UserLock was designed from the ground up to integrate with Active Directory, ensuring that features like multi-factor authentication (MFA), SSO, and contextual access management work seamlessly.

UserLock supports all TOTP authenticators (E.g. Google, Microsoft, LastPass etc…), programmable hardware tokens, like YubiKey and Token2 and both time-based and HMAC-based one-time passwords.

Organizations can distribute their preferred array of access controls without sacrificing control or convenience.

With UserLock, admins get all relevant access controls within a use-friendly GUI.

This is inherently more approachable than PowerShell modules, requires less specialized knowledge, and is highly efficient. Drop-down menus, toggles, and fields make it easy to select from sets of default configurations—or add an additional level of granularity to your access-management process.

UserLock helps track users regardless of their device OS or access protocol. The list-style presentation is color coded, icon-rich, and easy to quickly scan.

For example with SSO connections to the cloud:

UserLock MFA also works on off-domain connections and even without internet.

To secure remote access, UserLock MFA offers two separate capabilities.

First, UserLock works even without an internet connection. For obvious reasons, this is key to securing remote user access.

Second, UserLock also allows admins to apply MFA on off-network, off-domain connections. Thanks to a web app called UserLock Anywhere, UserLock prompts the user's machine(s) for MFA even if the user doesn't connect to the corporate network.

To further secure remote user access, UserLock also offers MFA for Microsoft 365 and RD(P) Gateways, along with other common MFA for remote work use cases.

A closer look at access management with UserLock

This is another area where UserLock’s flexibility shines over ADFS. Admins can control access through a variety of mechanisms:

By taking context into account, UserLock will intelligently authorize, deny, or limit user access following authentication.

• Based on machine and device: dictating how AD users log on according to IP address, location, department, or workstation OS

• Based on hours: according to total session length, time quotas, and company hours of operation

• Based on session type: including terminal sessions, those using RADIUS or RRAS, or IIS

• Based on concurrent login caps and initial access points

This happens automatically without manual intervention, though UserLock allows admins to make granular changes as needed.

In addition to controlling all login attempts to your Windows AD domains, you can even audit or report on this activity.

Want to know who’s logged in across which services? The UserLock dashboard makes this easy by displaying all user sessions at a glance. However, there can come a time where user activity raises red flags. For situations like these, you can configure UserLock to alert key team members to suspicious behavior. It’s possible to quickly shut down access thereafter to prevent breaches.

Getting started is simple

Installing UserLock is possible on any Windows Server 2003+, either physical or virtual. It’s then easy to deploy on selected machines via user agent. These configurations are available with the application, permitting easy click-and-activate functionality across devices on your network. A powerful console is available for in-network access control. You can even protect user, group, or organization unit accounts as needed.