Set Up a Custom Enterprise Sign-In Configuration
One of the options for implementing Enterprise Sign-In (single sign-on) is to set up a custom configuration using the Identity Provider tab within the Organization Center. This is most commonly used by companies that use a third-party provider that doesn't offer a pre-configured single sign-on package, or that need a custom SAML Identity Provider.
GoTo offers Enterprise Sign-In, which is a SAML-based single sign-on (SSO) option that allows users to sign in to their GoTo product(s) using their company-issued username and password, which is the same credentials they use when accessing other systems and tools within the organization (e.g., corporate email, work-issued computers, etc.). This provides a simplified login experience for users while allowing them to securely authenticate with credentials they know.
The Identity Provider tab within the Organization Center supports various configurations. IT Administrators can configure automatically using a metadata URL or uploading a SAML metadata file, or configure manually with sign-in and sign-out URLs, an identity provider ID and an uploaded verification certificate.
General Identity Provider Setup Overview
A trust-relationship between two relying parties has been established when each party has acquired the necessary metadata about the partner for execution of a SAML Single Sign-On. At each relying party, the configuration information can be input dynamically or manually, depending on the interface offered by the IdP.
When introducing the GoTo SAML Service’s metadata at the IdP, you may be given an option to add a new Service Provider via metadata. In this case, you can simply populate the metadata URL field with:
In the event your IdP requires manual input of information, you’ll need to manually enter the parts of the metadata. Depending on your IdP, it may ask for different pieces of information or call these fields different things. To start, here are some of the configuration values that should be entered if your IdP asks for them.
- EntityID – The GoTo SAML Service’s entityID is the metadata url. The IdP may sometimes refer to it as the IssuerID or the AppID. (https://authentication.logmeininc.com/saml/sp).
- Audience – This is the EntityID of the GoTo SAML Service. An IdP may refer to it as the Audience Restriction. This should be set to: https://authentication.logmeininc.com/saml/sp.
- ACS URL (Assertion Consumer Service URL) – The URL where authentication responses (containing assertions) are returned to: https://authentication.logmeininc.com/saml/acs.
Note: The IdP may also refer to this as the ACS URL, the Post Back Url, the Reply URL, or the Single Sign On URL.
- Single Logout URL – The destination of a logout request or logout response from the IdP: https://authentication.logmeininc.com/saml/SingleLogout.
- NameID format – The type of the subject identifier to be returned in the Assertion. The GoTo SAML Service expects: EmailAddress
You can set a per-product RelayState to allow routing to different products from your IdP application catalog. Below are the RelayState values to set for GoTo products:
|Product Name||RelayState Value|
|GoToAssist Remote Support||https://up.gotoassist.com|
|GoToAssist (Service Desk)||https://desk.gotoassist.com|
|GoToAssist Remote Support v5||https://console.gotoassist.com|
During manual configuration of the GoTo SAML Service at the IdP, you may be presented with some additional options. Here is a list of potential options you may be presented and what you should set them to.
- Sign assertion or response
- Activate this option, the GoTo SAML service requires the IdP’s signature on the response.
- Encrypt assertion or response
- Deactivate this option, currently the SAML service is not processing encrypted assertions.
- Include SAML Conditions
- Activate this option, it’s required by the SAML Web SSO profile. This is a SecureAuth option.
- SubjectConfirmationData Not Before
- Deactivate this option, required by the SAML Web SSO profile. This is a SecureAuth option.
- SAML Response InResponseTo
- Activate this option. This is a SecureAuth option.