Single sign-on requires multiple servers to get right.
One of the key benefits of Office 365 over its competition is the ability to offer “single sign-on”. In a nutshell what this means is that users only have to authenticate against their network – and not against Office 365 as well. Without single sign-on, users would need to have the Office 365 Sign-In Assistant installed on their computers to assist with authentication (although not always required).
How it works
Single sign-on works by creating a trust between Office 365 and the customer’s internal network. This is known as “federation” (a term also used to denote similar meanings in the Exchange Server/Online and Lync Server/Online products).
This federation relationship utilises certificate-based encryption, meaning that any information exchange between customer servers and Office 365 is secure.
At the ground level a continual one-way copy of the customer’s Active Directory user accounts and groups is made to their Office 365 environment. At the higher level the federation system known as Active Directory Federation Services (ADFS) manages the actual access control with Office 365 based on information contained in your Active Directory.
Behind the scenes
As I mentioned at the ground level a synchronisation of Active Directory is required to Office 365. The tool that Microsoft provides (DirSync) cannot run on a domain controller and can only be run on a member server. If you are running Small Business Server 2003/2008 or have a single Windows Server in your network, this is your domain controller, which means you can’t install DirSync on it.
So already any organisation looking at implementing DirSync needs a second server (not necessarily dedicated) to install DirSync on.
ADFS requires two more servers at a minimum to communicate with Office 365. One of these plays the “server” role while the other acts as the “proxy” to Office 365, minimising the external access required to your Active Directory.
Best practice dictates that ADFS is actually set up in high availability mode which requires another two servers. The reason for this is due to the fact that if Office 365 can’t reach your Active Directory environment then users can’t get in to their mailboxes or the intranet regardless of whether they are inside or outside the network, hence high availability is strongly recommended.
Why it’s not for SMBs
One of the prime attractions for organisations moving to Office 365 is to minimise their server count, in some cases down to none.
In my day-to-day job at Paradyne we work with many businesses ranging from single through to thousands of users. As our focus is around SMBs we come across a lot of organisations that will still retain their Active Directory but want to take advantage of Office 365. We have several customers with over 100 staff that don’t use ADFS but do at least use DirSync.
Because the implementation and support of ADFS is dependent on the organisations’ IT maturity and capabilities there is no hard and fast rule about when it should or shouldn’t be used.
Single sign-on sounds good, but in reality for SMBs it might be more trouble than it’s worth.
Loryan Strant is a Microsoft Office 365 MVP (Most Valuable Professional). Follow him on Twitter @TheCloudMouth.