IS Decisions logo

IS Decisions Blog

Why on-premise Active Directory is the perfect foundation to implement SSO and MFA

Single sign-on (SSO) and multi-factor authentication (MFA) are keys to modern architecture. Together, they allow on-premise Active Directory environments to go hybrid without compromising security.

Published September 5, 2022
Why on-premise Active Directory is the perfect foundation to implement SSO and MFA

For a long time, single sign-on and multi-factor authentication (MFA) were seen as nice-to-have technologies to use on a case-by-case basis to make network access more user-friendly or to add an extra security layer where needed.

But recently, as the risks and effects of cybercrime garner public attention, this rather laid-back view of SSO and MFA has started to change.

MFA and SSO: Keys to modern network architecture

MFA and SSO are now viewed as critical elements of modern network architecture. The two technologies have also grown closer to one another in the minds of network architects.

SSO is a usability and management tool that knits disparate network access together under one credential. It’s a simple principle — the user need only identify themselves once. This means:

  • Reduced password fatigue

  • Less scope for shadow IT

  • Fewer credentials to manage make life easier for helpdesks

MFA, meanwhile, is a security layer that reduces the risk of relying on a single exposed credential. Arguably, MFA has become so fundamental to effective security that it is now default for any type of secure network access, especially SSO or remote access through a VPN.

Which identity store?

Underlying SSO with MFA is the identity management system or directory service against which users are authenticated. Today, network planners have almost too many choices on this front, including using the many cloud identity providers that have appeared in the last decade. Whether an organization opts for this third-party route depends on several factors, including whether it is comfortable becoming too dependent on external providers to fulfill such a fundamental role.

But there’s a simpler option that almost every organization is already using and is familiar with — on-premise Windows Active Directory (AD). AD, of course, has been around since the 1990s, which might explain why a notion has taken hold that it is not up to the job of acting as an identity system for SSO. Deep in the era of cloud computing, some see AD and the concept of on-premise control as a relic of a bygone age. And yet nothing could be further from the truth.

Designed around the idea of an on-premise domain controller, using AD as an identity store dovetailed perfectly with the LAN era in which almost all resources were internal. Nevertheless, AD also had limitations, such as support for non-Windows resources. Over time, users accumulated too many credentials beyond the confines of AD, which forced them to authenticate multiple times.

AD’s second life

Despite this, it’s possible to easily retain AD as the identity store for SSO using a third-party tool such as UserLock. With this pragmatic approach, the advantages of SSO with Active Directory are many, including:

  • You retain the on-premise AD directory you’re already using and are familiar with

  • You keep your authentication infrastructure on-site, which many organizations desire for optimal security if not for compliance requirements

  • You avoid the security and connectivity risks that come with using a cloud identity provider, which relies on an internet connection

  • You build on your existing investment in AD, which is already a proven tool for handling the job of user identity management

How about ADFS?

On paper, Microsoft’s AD Federation Services (ADFS) can do the heavy lifting, but it can be tricky to implement. First, it requires multiple types of complex infrastructure such as DNS servers and load balancers in addition to an SQL configuration database and digital certificates. Any disruption to the availability of certificates can quickly cause problems. AD is supposed to be simple and cost-effective, but ADFS can end up being anything but.

Implement Active Directory SSO and MFA to secure cloud access

Many organizations today find themselves grappling with how best to use both Active Directory SSO and MFA. The sheer number of systems and credentials that users now use, in addition to the modern infrastructure’s mix of on-premise and cloud applications, can create management and security headaches.

This is the challenge of the hybrid enterprise: to bridge the on-premise and cloud spheres without compromising either. It sounds like a complex demand, but by improving AD security with SSO and MFA, it becomes possible. For most organizations trying to accommodate legacy applications with an expanding cloud investment, this will be the most simple and most cost-effective way to enable SSO across their user base.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial