Set Up Enterprise Sign-In using AD FS 3.0
Your organization can easily manage thousands of users and their product access while also delivering single sign-on (SSO). SSO ensures your users can access their GoTo products using the same identity provider as for their other enterprise applications and environments. These capabilities are called Enterprise Sign-In.
You can configure your Active Directory Federation Services (AD FS) to support single sign-on authentication to GoTo products.
About AD FS 3.0
AD FS 3.0 is an enhanced version of AD FS 2.0. It is a downloadable component for Windows Server 2012 R2. One large advantage of 3.0 is that Microsoft's Internet Information Services (IIS) Server is included in the deployment rather than a separate install. The enhancements vary the installation and configuration somewhat compared to its predecessor.
This article covers how to install and configure AD FS, and to set AD FS up in a SAML trust relationship with Enterprise Sign-In. In this trust relationship, AD FS is the Identity Provider and GoTo is the Service Provider. On completion, GoTo will be able to use AD FS to authenticate users into products like GoTo Training using the SAML assertions served by AD FS. Users will be able to initiate authentications from the Service Provider side or the Identity Provider side.
Among the prerequisites for AD FS 3.0 are:
- A publicly trusted certificate to authenticate AD FS to its clients. The AD FS service name will be assumed from the subject name of the certificate so it's important that the subject name of the certificate be assigned accordingly.
- AD FS server will need to be a member of an Active Directory domain and a domain administrator account will be needed for the AD FS configuration.
- A DNS entry will be needed to resolve the AD FS hostname by its client
A complete and detailed list of the requirements can be reviewed in the Microsoft AD FS 3.0 overview.
- Start the installation of AD FS 3.0 by going to Administrative Tools > Server Manager > Add roles and features.
- Under the Select installation type page, select Role-based or feature-based installation, then click Next.
- On the Select destination server page, select the server on which to install the ADFS service, then click Next.
- On the Select server roles page, select Active Directory Federation Services, then click Next.
- On Select features, unless there are some additional features that you want to install, leave the defaults and click Next.
- Review the information on the Active Directory Domain Services page, then click Next.
- Initiate the installation on the Confirm installation selections page.
- In your Notifications, you will have a notification alerting you that you have a Post-deployment Configuration… task remaining. Open it and click on the link to initiate the Setup Wizard.
- In the Welcome page, select Create the first federation server in a new federation server farm (unless there is an existing farm that you are adding this AD FS server too).
- On the Connect to AD FS page, select the domain admin account to perform this configuration.
- In Specify Service Properties, specify the SSL Certificate created from the prerequisites. Set the Federation Service Name and Federation Service Display Name.
- In Specify Service Account, select the account that AD FS will use.
- In the Specify Configuration Database select the database to use.
- Review the information in Pre-requisite Checks and click Configure.
Establish Trust Relationship
Each party (AD FS and GoTo) will need to be configured to trust the other party. Therefore, the trust relationship configuration is a two step process.
Step #1: Configure AD FS to trust GoTo Training SAML
- Go to Administrative Tools > AD FS Management.
- In AD FS Management, use the Action drop-down menu and select Add Relying Party Trust. This will initiate the Add Relying Party Trust Wizard.
- On the Select Data Source page of the wizard, select Import data about the relying party published online or on a local area network.
- In the text box below the selected option, paste the metadata URL: https://authentication.logmeininc.com/saml/sp.
- Click Next.
- Skip the Configure Multi-factor Authentication Now? page.
- On the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party (unless another option is desired).
- Proceed through the rest of the prompts to complete this side of the trust relationship.
Add 2 claim rules
- Click on the new endpoint entry, and click Edit Claim Rules in the right navigation.
- Select the Issuance Transform Rules tab, then click Add Rule.
- Use the drop-down menu and select Send LDAP Attributes as Claims, then click Next.
- Use the following settings for the rule:
- Claim rule name – AD Email
- Attribute store – Active Directory
- LDAP Attribute – E-mail-Addresses
- Outgoing Claim Type – E-mail Address
- Click Finish.
- Click Add Rule again.
- Use the drop-down menu and select Transform an Incoming Claim menu, then click Next.
- Use the following settings:
- Claim rule name – Name ID
- Incoming claim type – E-Mail Address
- Outgoing claim type – Name ID
- Outgoing name ID Format – Email
- Select Pass through all claim values.
- Click Finish.
- Right click on the new relying party trust in the Relying Party Trusts folder and select Properties.
- Under Advanced, select SHA-1 and click OK.
- To prevent AD FS from sending encrypted assertions by default, open a Windows Power Shell command prompt and run the following command:
set-ADFSRelyingPartyTrust –TargetName "< relyingPartyTrustDisplayName >" –EncryptClaims $False
Step #2 Configure GoTo to trust AD FS
- Navigate to the Organization Center at https://organization.logmeininc.com and use the Identity Provider webform.
- AD FS publishes its metadata to a standard URL by default: (https://< hostname >/federationmetadata/2007-06/federationmetadata.xml).
- If this URL is publicly available on the Internet: Click the Identity Provider tab in the Organization Center, select the Automatic configuration option, then paste the URL in the text field and click Save when finished.
- If the metadata URL is not publicly available, then collect the single-sign-on URL and a certificate (for signature validation) from AD FS and submit them using the Manual configuration option in the Identity Provider tab in the Organization Center.
- To collect the necessary items, do the following:
- To collect the single sign-on service URL, open the AD FS Management window and select the Endpoints folder to display a list of the AD FS endpoints. Look for the SAML 2.0/WS-Federation type endpoint and copy the URL from its properties. Alternatively, if you have access to the standard metadata URL, display the contents of the URL in a web browser and look for the single-sign-on URL in the XML content.
- To collect the certificate for signature validation, open the AD FS Management Console and select the Certificates folder to display the certificates. Look for the Token-signing certificate, then right click on it and select View Certificate. Select the Details tab, and then the Copy to File option. Using Certificate export wizard, select the Base-64 Encoded X.509 (.Cer). Assign a name to the file to complete the export of the certificate into a file.
- Enter the single sign-on service URL and the certificate text into their respective fields into the Organization Center and click Save.
Test the configuration
- To test Identity Provider-Initiated Sign-On, go to your custom IdP URL (example: https://adfs.< my domain.com >/adfs/ls/< IdP Initiated sign on > = https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx). You should see the relying party identifier in a combobox under “Sign in to one to the following sites”.
- To test Relying Party-Initiated Sign-on, see instructions for How do I log in using single sign-on?