IT Infrastructure 003: ADFS, WID or SQL Server?

ADFS Configuration DB

ADFS does require a database to store configuration data. If you are not maintaining too many federation trusts, you actually do not require much storage. Of course, it is wise to set your system up to be able to accommodate any new federated applications in future.

WID or SQL Server?

Use WID for small scale deployment as it is much more convenient and easier to maintain. However, if your deployment is large scale, then SQL Server is the way to go.

There are two features of ADFS that are related to SAML, which you may find unfamiliar. These features are only supported by implementing Microsoft SQL Server, and in my opinion, would not be relevant to most use cases.

  1. SAML Artifact Resolution – This feature allows SAML requests and responses exchanges by your ADFS to use artifact ( you can think of it as a link, or a reference to the actual data), instead of including all the data within the messages. Is this essential? It depends on the arrangement you had made with your relying parties. If the applications that they are providing do not require such a feature, then it is not necessary. However, it is always a good practice to plan for the future.
  2. SAML/WS-Federation token replay detection – This feature prevents anyone from using the “Back” or “Refresh” button in the web browser to reload the completed authentication page in order to login to the application multiple times. Is this essential? To protect the privacy of your users, this is a good feature to have. However, I always believe it is more effective to educate the users not to use shared devices to login to sensitive applications, to prevent others from trying out such hacks.

Of course, there are other differences. In general, SQL Servers can support more trust relationships and provides high-availability clustering, at a level which WID cannot achieve.

However, SQL Servers definitely cost more to implement due to the requirement of additional servers as well as SQL software licensing. To set up SQL Server clustering is also rather complicated. And if the SQL Server and ADFS servers are on separate machines, then it becomes a requirement to ensure the availability of the network between these two components.

More information below: