Set Up Enterprise Sign-In Using AD FS 2.0
Your organization can easily manage thousands of users and their product access while also delivering single sign-on (SSO). SSO ensures your users can access their GoTo products using the same identity provider as for their other enterprise applications and environments. These capabilities are called Enterprise Sign-In.
This document covers configuration of your Active Directory Federation Services (AD FS) to support single sign-on authentication to GoTo products.
AD FS 2.0 is a downloadable component for Windows Server 2008 and 2008 R2. It is simple to deploy, but there are several configuration steps that need specific strings, certificates, URLs, etc. AD FS 3.0 is also supported for Enterprise Sign-In. AD FS 3.0 has several improvements, the largest of which is that Microsoft's Internet Information Services (IIS) Server is included in the deployment rather than a separate install.
Step #1: Set Up an Organization for ADFS 2.0
Set up an “organization” by registering at least one valid email domain with GoTo to verify your ownership of that domain. Domains within your organization are wholly-owned email domains that your admins can verify either through your web service or DNS server.
Set up an organization.
Disable Welcome emails for users (optional).
Results: You have successfully set up an organization and configured your desired settings for Welcome emails.
Step #2: Federation services certificate
Each AD FS deployment is identified by a DNS name (e.g., “adfs.mydomain.com). You will need a Certificate issued to this Subject Name before you begin. This identifier is an externally visible name, so make sure you pick something suitable to represent your company to partners. Also, don’t use this name as a server host name as well – it will cause trouble with Service Principal Names (SPN) registration if you do.
Step #3: Create a domain user account
AD FS servers require that you create a domain user account to run its services (no specific groups are required).
Step #4: Install your first AD FS server
- Download AD FS 2.0 and run the installer. Make sure you run the installer as a Domain Admin – it will create SPNs and other containers in AD.
- In Server Role, select Federation Server.
- Check Start the AD FS 2.0 Management snap-in when this wizard closes at the end of the Setup Wizard.
- In AD FS Management snap-in, select Create new Federation Service.
- Select New Federation Server farm.
- Select the Certificate you’ve created in the previous step.
- Select the Domain user you’ve created in previous steps.
Step #5: Configure your relying party
In this step you will tell AD FS the kind of SAML tokens that the system accepts.
- In AD FS 2.0 MMC, select Trust Relationships> Relying Party Trusts in the navigation tree.
- Select Add Relying Party Trust and select Start.
- Under Select Data Source, select Import data about the relying party published online or on a local area network.
- In the text box below the selected option, paste the metadata URL: http://identity.goto.com/saml/sp.
- Select OK to acknowledge that some metadata that AD FS 2.0 does not understand will be skipped.
- On the Specify Display Name page, type LogMeInTrust, and select Next.
- On the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party (unless another option is desired).
- Proceed through the rest of the prompts to complete this side of the trust relationship.
Add 2 claim rules
- Select the new endpoint entry, and then select Edit Claim Rules in the navigation menu.
- Select the Issuance Transform Rules tab, then select Add Rule.
- Use the drop-down menu to select Send LDAP Attributes as Claims, then select Next.
- Use the following settings for the rule:
- Claim rule name – AD Email
- Attribute store – Active Directory
- LDAP Attribute – E-mail-Addresses
- Outgoing Claim Type – E-mail Address
- Select Finish.
- Select Add Rule again.
- Use the drop-down menu to select Transform an Incoming Claim, then select Next.
- Use the following settings for the rule:
- Claim rule name – Name ID
- Incoming claim type – E-Mail Address
- Outgoing claim type – Name ID
- Outgoing name ID Format – Email
- Select Pass through all claim values.
- Select Finish.
Complete the configuration
- To prevent AD FS from sending encrypted assertions by default, open a Windows Power Shell command prompt and run the following command:
Step #6: Configure trust
The last configuration step is to accept the SAML tokens generated by your new AD FS service.
- Use the “Identity Provider” section in the Organization Center to add the needed details.
- For AD FS 2.0, select “Automatic” configuration and enter the following URL – replacing “server” with the externally accessible hostname of your AD FS server: https://server/FederationMetadata/2007-06/FederationMetadata.xml
Step #7: Test single server configuration
At this point you should be able to test the configuration. You must create a DNS entry for the AD FS service identity, pointing to the AD FS server you’ve just configured, or a network load balancer if you’re using one.
- To test Identity Provider-Initiated Sign-On, go to your custom IdP URL (example: https://adfs.< my domain.com >/adfs/ls/< IdP Initiated sign on > = https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx). You should see the relying party identifier in a combobox under “Sign in to one to the following sites”.
- To test Relying Party-Initiated Sign-on, view instructions for How do I log in using single sign-on?