LogMeIn support sites no longer support Microsoft's Internet Explorer (IE) browser. Please use a supported browser to ensure all features perform as they should (Chrome / FireFox / Edge).

The GoTo support site no longer supports Safari 15. Please upgrade your browser to Safari 16 (or newer) or switch to a supported browser such as Google Chrome, Mozilla Firefox, or Microsoft Edge.

Anchored by your desk phone? Access your calls, meetings, and messaging on any device. Switch to the GoTo app now.

We are currently experiencing an unplanned outage for this product. View Service Status
  • Support
  • Products

    Explore support by product

    GoTo Connect

    All-in-one phone, meeting and messaging software

    GoTo Meeting

    Video and audio meeting software

    GoTo Webinar

    All-in-one webinar and virtual events software

    GoTo Room

    Conference room hardware

    GoTo Training

    Online training software

    OpenVoice

    Audio conferencing software

    Grasshopper

    Lightweight virtual phone system

    join.me

    Video conferencing software

    LogMeIn Resolve

    IT management & support

    LogMeIn Resolve MDM

    Mobile device management

    LogMeIn Pro

    Remote device access

    LogMeIn Central

    Remote monitoring & management

    LogMeIn Rescue

    Remote IT support

    GoToMyPC

    Remote desktop access

    GoToAssist

    Remote support software

    Hamachi

    Hosted VPN service

    RemotelyAnywhere

    On-prem remote access solution
  • Community
  • Trainings
  • Service Status

  • SMS Registration

    United States carriers are now blocking all unregistered outbound SMS per industry regulations to combat spam. Registration is mandatory for all providers, not just GoTo Connect. Register now to restore or maintain SMS service. GoTo Connect cannot expedite carrier reviews.

    Try the improved My Cases portal

    Easily manage your ticket, track its status, contact us from an existing case, and more.

    Sign in to try
  • Language selector icon Language selector icon
    • English
    • français
    • italiano
    • Deutsch
    • español
    • português
    • Nederlands
  • Contact Support
  • Service Status
  • User Avatar User Avatar
    • Support
    • Contact Support
    • Browse Products
    • Service Status
    • Community
    • Trainings
    • Sign in
    • User Avatar
    • My Account
    • Personal Info
    • Sign In & Security
    • My Cases
    • Billing Center
    • https://link.goto.com/myaccount-billing
    • My GoTo Connect
    • My Meetings
    • My Webinars
    • My Trainings
    • My Conferences
    • My Resolutions
    • My Mobile Devices
    • My Sessions
    • My Sessions
    • My Incidents
    • Sign out
  • Phones and meetings
  • Account and Billing
  • SSO and user provisioning
  • IT Admin Management
  • Enterprise Sign-In
product logo
Back button image Back
Back button image
product logo

Set Up Enterprise Sign-In Using AD FS 2.0

Your organization can easily manage thousands of users and their product access while also delivering single sign-on (SSO). SSO ensures your users can access their GoTo products using the same identity provider as for their other enterprise applications and environments. These capabilities are called Enterprise Sign-In.

This document covers configuration of your Active Directory Federation Services (AD FS) to support single sign-on authentication to GoTo products.

AD FS 2.0 is a downloadable component for Windows Server 2008 and 2008 R2. It is simple to deploy, but there are several configuration steps that need specific strings, certificates, URLs, etc. AD FS 3.0 is also supported for Enterprise Sign-In. AD FS 3.0 has several improvements, the largest of which is that Microsoft's Internet Information Services (IIS) Server is included in the deployment rather than a separate install.

Note: You may skip to Step #5 (listed below) if you already have AD FS 2.0 deployed.

Step #1: Set Up an Organization for ADFS 2.0

Set up an “organization” by registering at least one valid email domain with GoTo to verify your ownership of that domain. Domains within your organization are wholly-owned email domains that your admins can verify either through your web service or DNS server.

Important: The user who completes domain verification will automatically become an organization admin, but this user is not required to have a GoTo product admin role.
The steps below are performed in the GoTo Organization Center.

    Set up an organization.

    1. Sign in to the GoTo Organization Center at https://organization.logmeininc.com.
    2. The first screen will ask that you verify that you own the domain for the account with which you are logged in currently. You are provided two methods for setting up domain validation, each of which uses a unique verification code to complete the verification. Copy the verification value to your clipboard.
      Note: The verification screen will display until the domain is verified. If it takes you longer than 10 days to verify the domain, the system will automatically generate new verification codes for your domain the next time you visit the Organization Center.
    3. Paste the verification code into the DNS record or a text file for upload to one of the locations, depending on which of the verification methods you choose: 

      • Method 1: Add a DNS record to your domain zone file. To use the DNS method, you place a DNS record at the level of the email domain within your DNS zone. Typically, users are verifying a “root” or “second level” domain such as “main.com”. In this case, the record would resemble:

        @ IN TXT “logmein-verification-code=668e156b-f5d3-430e-9944-f1d4385d043e”

        OR

        main.com. IN TXT “logmein-verification-code=668e156b-f5d3-430e-9944-f1d4385d043e”

        If you require a third-level domain (or subdomain) such as “mail.example.com” the record must be placed at that subdomain, such as:

        mail.main.com. IN TXT “logmein-verification-code=668e156b-f5d3-430e-9944-f1d4385d043e”

        For more detailed documentation, see Add a TXT DNS record.

      • Method 2: Upload a web server file to the specified website.Upload a plain-text file to your web server root containing a verification string. There should not be any whitespace or other characters in the text file besides those given.
        • Location: https://< yourdomain >/logmein-verification-code.txt
        • Contents: logmein-verification-code=668e156b-f5d3-430e-9944-f1d4385d043e
    4. Once you have added the DNS record or text file, return to the domain status screen and click Verify.

    5. Result: You have successfully verified your first domain, and thereby created an organization with your account as the organization admin. The verified domain will be listed the next time you sign in to the Organization Center.

      Organization Center - Email domains tab

    Disable Welcome emails for users (optional).

    1. Sign in to the GoTo Admin Center (classic) at https://admin.logmeininc.com.
    2. Select Admin Settings in the left navigation.
    3. Locate the Organization pane and select Edit.
      Disable Welcome emails in the Admin Center
    4. Select Disabled for User Sync > Save.

      Result: You have disabled Welcome emails for users, and will need to inform your users about changes to their account and/or products assigned going forward.

Results: You have successfully set up an organization and configured your desired settings for Welcome emails.

Step #2: Federation services certificate

Each AD FS deployment is identified by a DNS name (e.g., “adfs.mydomain.com). You will need a Certificate issued to this Subject Name before you begin. This identifier is an externally visible name, so make sure you pick something suitable to represent your company to partners. Also, don’t use this name as a server host name as well – it will cause trouble with Service Principal Names (SPN) registration if you do.

There are many methods to generate certificates. The easiest, if you have a Certificate Authority in your Domain, is to use the IIS 7 management console:
  1. Open Web Server (IIS) management snap-in.
  2. Select the server node in the navigation tree, then Server Certificates option.
  3. Select Create Domain Certificate.
  4. Enter your Federation Service Name in Common Name (e.g., adfs.mydomain.com ).
  5. Select your Active Directory Certificate Authority.
  6. Enter a “Friendly Name” for the Certificate (any identifier will do).
    Note: If you didn’t use the IIS console to generate the certificate, make sure the certificate is bound to the IIS service in the servers where you’ll be installing AD FS before proceeding.

Step #3: Create a domain user account

AD FS servers require that you create a domain user account to run its services (no specific groups are required).

Step #4: Install your first AD FS server

  1. Download AD FS 2.0 and run the installer. Make sure you run the installer as a Domain Admin – it will create SPNs and other containers in AD.
  2. In Server Role, select Federation Server.
  3. Check Start the AD FS 2.0 Management snap-in when this wizard closes at the end of the Setup Wizard.
  4. In AD FS Management snap-in, select Create new Federation Service.
  5. Select New Federation Server farm.
  6. Select the Certificate you’ve created in the previous step.
  7. Select the Domain user you’ve created in previous steps.

Step #5: Configure your relying party

In this step you will tell AD FS the kind of SAML tokens that the system accepts.

Set up the trust relationship, as follows:
  1. In AD FS 2.0 MMC, select Trust Relationships> Relying Party Trusts in the navigation tree.
  2. Select Add Relying Party Trust and select Start.
  3. Under Select Data Source, select Import data about the relying party published online or on a local area network.
  4. In the text box below the selected option, paste the metadata URL: https://identity.goto.com/saml/sp.
  5. Select OK to acknowledge that some metadata that AD FS 2.0 does not understand will be skipped.
  6. On the Specify Display Name page, type LogMeInTrust, and select Next.
  7. On the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party (unless another option is desired).
  8. Proceed through the rest of the prompts to complete this side of the trust relationship.

Add 2 claim rules

  1. Select the new endpoint entry, and then select Edit Claim Rules in the navigation menu.
  2. Select the Issuance Transform Rules tab, then select Add Rule.
  3. Use the drop-down menu to select Send LDAP Attributes as Claims, then select Next.
  4. Use the following settings for the rule:
    • Claim rule name – AD Email
    • Attribute store – Active Directory
    • LDAP Attribute – E-mail-Addresses
    • Outgoing Claim Type – E-mail Address
  5. Select Finish.
  6. Select Add Rule again.
  7. Use the drop-down menu to select Transform an Incoming Claim, then select Next.
  8. Use the following settings for the rule:
    • Claim rule name – Name ID
    • Incoming claim type – E-Mail Address
    • Outgoing claim type – Name ID
    • Outgoing name ID Format – Email
  9. Select Pass through all claim values.
  10. Select Finish.

Complete the configuration

  • To prevent AD FS from sending encrypted assertions by default, open a Windows Power Shell command prompt and run the following command:
set-ADFSRelyingPartyTrust –TargetName"< relyingPartyTrustDisplayName >" –EncryptClaims $False

Step #6: Configure trust

The last configuration step is to accept the SAML tokens generated by your new AD FS service.

  • Use the “Identity Provider” section in the Organization Center to add the needed details.
  • For AD FS 2.0, select “Automatic” configuration and enter the following URL – replacing “server” with the externally accessible hostname of your AD FS server:  https://server/FederationMetadata/2007-06/FederationMetadata.xml

Step #7: Test single server configuration

At this point you should be able to test the configuration. You must create a DNS entry for the AD FS service identity, pointing to the AD FS server you’ve just configured, or a network load balancer if you’re using one.

  • To test Identity Provider-Initiated Sign-On, go to your custom IdP URL (example: https://adfs.< my domain.com >/adfs/ls/< IdP Initiated sign on > = https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx). You should see the relying party identifier in a combobox under “Sign in to one to the following sites”.
  • To test Relying Party-Initiated Sign-on, view instructions for How do I log in using single sign-on?
Related Articles:
  • Set Up Enterprise Sign-In (SSO)
  • Set Up a Custom Enterprise Sign-In Configuration
  • How do I sign in using single sign-on?
  • SAML Signing Certificate for Enterprise Sign-In
  • Set Up Enterprise Sign-In using AD FS 3.0
Article last updated: 17 January, 2024
You are viewing the latest version of this article.

Need help?

Contact icon Contact support
Manage Cases icon Manage cases
Community icon Ask the Community
Training icon Attend trainings
Video icon Watch videos
  • Language selector icon Language selector icon
    • English
    • français
    • italiano
    • Deutsch
    • español
    • português
    • Nederlands
  • About Us
  • Terms of Service
  • Privacy Policy
  • Trademark
  • Do Not Sell or Share My Personal Info
  • Browse Products
  • Copyright © 2025 GoTo Group, Inc. All rights reserved

Collaboration Products

GoTo Connect

GoTo Meeting

GoTo Webinar

GoTo Training

join.me

Grasshopper

OpenVoice

Remote Solutions Products

GoTo Resolve

Rescue

GoToAssist

Access Products

Pro

Central

GoToMyPC