(Cloud) Tip of the Day: Same sign-on vs. Single sign-on

Today’s (Cloud) Tip… Same sign-on vs. Single sign-on

Customers can leverage Directory Synchronization (DirSync) to keep their local Active Directory and Windows Azure Active Directory in sync. The DirSync application runs on a regular basis and copies on-premises attributes to Windows Azure Active Directory. Applications like ACS and Office 365 then use Azure Active Directory to validate users’ identity and attributes.

Historically, DirSync didn’t synchronize the user’s password. Instead, it leveraged the concept of managed or federated users to decide whether to use a local password or talk to a federation server. A recent update to DirSync added a new option – Password Synchronization (Password Sync). Password Sync allows DirSync to send up a hash of the user’s password hash (yes, it is a hash of a hash). This allows Azure Active Directory to authenticate users without having to talk to a federation server.

Talking to a federation server to validate a credentials is called “single sign-on” since in theory users don’t have to re-enter their credentials if already logged in. “Same sign-on” means that the users will have to re-enter their credentials, but they can use the same exact credentials they use to sign on locally.

Same sign-on is a compromise. It is much easier to implement than federation and single sign-on, but it is not quite as seamless as single-sign on. In essence, it provides the simplicity of managed users while adding the convenience of end users not having to remember yet another set of credentials.