Set Up Enterprise Sign-In using ADFS 3.0
Your organization can easily manage thousands of users and their product access while also delivering Single Sign-On (SSO). SSO ensures your users can access their LogMeIn products using the same identity provider as for their other enterprise applications and environments. These capabilities are called Enterprise Sign-In.
This document covers configuration of your Active Directory Federation Services (ADFS) to support Single Sign-On authentication to LogMeIn products. Prior to implementing, however, be sure to read more about Enterprise Sign-In and complete the initial setup steps.
ADFS 3.0 is an enhanced version of ADFS 2.0. It is a downloadable component for Windows Server 2012 R2. One large advantage of 3.0 is that Microsoft's Internet Information Services (IIS) Server is included in the deployment rather than a separate install. The enhancements vary the installation and configuration somewhat compared to its predecessor.
This article covers how to install and configure ADFS, and to set ADFS up in a SAML trust relationship with Enterprise Sign-In. In this trust relationship, ADFS is the Identity Provider and LogMeIn is the Service Provider. On completion, LogMeIn will be able to use ADFS to authenticate users into products like GoToMeeting using the SAML assertions served by ADFS. Users will be able to initiate authentications from the Service Provider side or the Identity Provider side.
Topics in this article:
Among the prerequisites for ADFS 3.0 are:
- A publicly trusted certificate to authenticate ADFS to its clients. The ADFS service name will be assumed from the subject name of the certificate so it's important that the subject name of the certificate be assigned accordingly.
- ADFS server will need to be a member of an Active Directory domain and a domain administrator account will be needed for the ADFS configuration.
- A DNS entry will be needed to resolve the ADFS hostname by its client
A complete and detailed list of the requirements can be reviewed in the Microsoft ADFS 3.0 overview.
- Start the installation of ADFS 3.0 by selecting Administrative Tools | Server Manager | Add roles and features.
- On the Select installation type page select, Role-based or feature-based installation and click Next.
- On the Select destination server page, select the server on which to install the ADFS service and click Next.
- On the Select server roles page, select Active Directory Federation Services and click Next.
- On Select features, unless there are some additional features that you want to install, leave the defaults and click Next.
- Review the information on the Active Directory Domain Services page and click Next.
- Initiate the installation on the Confirm installation selections page.
- In your Notifications, you will have a notification alerting you that you have a Post-deployment Configuration… task remaining. Open it and click on the link to initiate the wizard.
- In the Welcome page select Create the first federation server in a new federation server farm (unless there is an existing farm that you are adding this ADFS server too).
- In the Connect to ADFS page, select the domain admin account to perform this configuration.
- In Specify Service Properties, specify the SSL Certificate created from the prerequisites. Set the Federation Service Name and Federation Service Display Name.
- In Specify Service Account, select the account that ADFS will use.
- In the Specify Configuration Database select the database to use.
- Review the information in Pre-requisite Checks and click configure.
Each party (ADFS and LogMeIn) will need to be configured to trust the other party. Therefore, the trust relationship configuration is a two step process.
Step #1: Configure ADFS to trust LogMeIn SAML
- Open Administrative Tools | ADFS Management.
- In ADFS Management, use the Action drop-down menu and select Add Relying Party Trust. This will initiate the Add Relying Party Trust Wizard.
- On the Select Data Source page of the wizard, select Import data about the relying party published online or on a local area network and in the textbox below the selected option paste the metadata URL:
- Click Next.
- Skip the Configure Multi-factor Authentication Now? page.
- On the Choose Issuance Authorization Rules screen, choose the Permit all users to access this relying party unless another option is desired.
- Step through the rest of the prompts to complete this side of the trust relationship.
- You now add two claim rules.
- Click on the new endpoint entry, and click Edit Claim Rules on the right.
- Select the Issuance Transform Rules tab and click Add Rule.
- Select Send LDAP Attributes as Claims from the drop-down menu and click Next.
- Use the following settings for the rule:
|Claim rule name||AD E-mail|
|Attribute store||Active Directory|
|LDAP Attribute||E-mail Addresses|
|Outgoing Claim Type||E-mail Address|
- Click Finish.
- Click Add Rule again.
- Select Transform an Incoming Claim from the drop-down menu and click Next.
- Use the following settings:
|Claim rule name||Name ID|
|Incoming claim type||E-mail Address|
|Outgoing claim type||Name ID|
|Outgoing name ID Format|
- Select Pass through all claim values.
- Click Finish.
- Right click on the new relying party trust in the Relying Party Trusts folder and select Properties.
- In Advanced, select SHA-1 and click OK.
- To prevent ADFS from sending encrypted assertions by default, open a Windows Power Shell command prompt and run the following command:
set-ADFSRelyingPartyTrust –TargetName "<relyingPartyTrustDisplayName>" –EncryptClaims $False
Step 2. Configure LogMeIn to trust ADFS
- Navigate to the Organization Center and use the Identity Provider webform.
- ADFS publishes its metadata to a standard URL by default: https://<hostname>/federationmetadata/2007-06/federationmetadata.xml.
- If this URL is publicly available on the internet, then on the Identity Provider tab in the Organization Center, select the Automatic configuration option and paste the URL in the textbox. Click Save.
- If the metadata URL is not publicly available, then collect the single-sign-on URL and a certificate (for signature validation) from ADFS and submit them using the Manual configuration option in the Identity Provider tab in the Organization Center.
- To collect the necessary items, do the following:
- To collect the single-sign-on service URL, open the ADFS Management window and select the Endpoints folder to display a list of the ADFS endpoints. Look for the SAML 2.0/WS-Federation type endpoint and collect the URL from its properties. Alternatively, if you have access to the standard metadata URL, display the contents of the URL in a browser and look for the single-sign-on URL in the XML content.
- To collect the certificate for signature validation, open the ADFS Management Console and select the Certificates folder to display the certificates. Look for the Token-signing certificate, right click on it and select View Certificate. Select the Details tab, and then the Copy to File option. Using Certificate export wizard, select the Base-64 Encoded X.509 (.Cer). Assign a name to the file to complete the export of the certificate into a file.
- Input these fields into the Organization Center and click Save.
To test Identity Provider-Initiated Sign-On, go to
You should see the relying party identifier in a combobox under Sign in to one to the following sites.
To test Relying Party-Initiated Sign-on,go to the web login page for the LogMeIn product you wish to sign into (such as www.gotomeeting.com) and on the sign in page, click the Use my company ID option.
Enter your email address. You should be redirected to the ADFS server and be prompted to log in (or if Windows Integrated Auth is used, may even be automatically) after which, you will be sent directly into your desired product.