Safewhere*Identify and ADFS: a brief comparison

ADFS has long been a popular name for identity, access management, and creation of single sign-on. While offering low initial cost, ADFS has many critical limitations on customization, standards support, user provisioning, and so forth. With the release of ADFS 3.0 in 2012, it is even more so since ADFS literally becomes a close-wall with such tight integration to the operating system that offers extremely low to no level of customization.

Having said that, Safewhere*Identify and ADFS are not rivals. On the contrary, it is possible for the two to effectively cooperate. When the Microsoft architecture is involved, ADFS normally functions as a bridge between Kerberos and Safewhere*Identify, despite that fact that Safewhere*Identify fully supports AD and Kerberos—just like ADFS. This setup arises because many companies already installed ADFS and comes at no cost under Microsoft CAL licenses. In this article, we briefly indicate a few advantages of Safewhere*Identify over ADFS on some primal areas:

Users: While ADFS is only able to authenticate users stored in AD, Safewhere*Identify can work with any external hosted user database; a user can be represented by multiple login accounts.

Adaptability and flexibility: Safewhere*Identify comes with a lot of options right out of the box, from different login pages per web browser, to device types, to the ability to customize and localize text fields and error pages.

Federation design: Unlike ADFS, which only supports one Identity Provider and one service provider per server, Safewhere*Identify makes it possible to implement multiple Identity Providers and service providers using separate instances whose services and user stores are independent from one another.

Redundancy: The number of servers for Safewhere*Identify will not grow rapidly when multiple Identity Providers and service providers are used.

Control console: Safewhere*Identify uses a full-fledged web-based UI that offers many flexibilities over the traditional MMC-based console of ADFS.

User provisioning: This area clearly indicates why Safewhere*Identify is the needed enhancement of ADFS, which offers no support for user provisioning. Safewhere*Identify allows you to provision users and roles to any user databases and directory services.

Extensive support for different login methods: Safewhere*Identify supports the following login methods:

  • Social login methods, such as Facebook, Google, Twitter, LiveID, OpenID, and LinkedIn.
  • Two-factor authentication using one-time passwords and device code authentication.
  • A Generic Provider feature that allows you to easily create your own authentication provider.
  • Federation protocols, including SAML 2.0, WS-Federation, OpenID Connect, and OAuth 2.0.

You can find a complete comparison of the two systems by clicking the following link

Last, but not least, running as a .NET web application in IIS, Safewhere*Identify allows you to apply your knowledge in this domain without any hassle, thus reducing the training costs of your company.