Set Up Enterprise Sign-In using ADFS 3.0
Your organization can easily manage thousands of users and their product access while also delivering single sign-on (SSO). SSO ensures your users can access their LogMeIn products using the same identity provider as for their other enterprise applications and environments. These capabilities are called Enterprise Sign-In.
This document covers configuration of your Active Directory Federation Services (ADFS) to support single sign-on authentication to LogMeIn products. Prior to implementing, however, be sure to read more about Enterprise Sign-In and complete the initial setup steps.
ADFS 3.0 is an enhanced version of ADFS 2.0. It is a downloadable component for Windows Server 2012 R2. One large advantage of 3.0 is that Microsoft's Internet Information Services (IIS) Server is included in the deployment rather than a separate install. The enhancements vary the installation and configuration somewhat compared to its predecessor.
This article covers how to install and configure ADFS, and to set ADFS up in a SAML trust relationship with Enterprise Sign-In. In this trust relationship, ADFS is the Identity Provider and LogMeIn is the Service Provider. On completion, LogMeIn will be able to use ADFS to authenticate users into products like GoToMeeting using the SAML assertions served by ADFS. Users will be able to initiate authentications from the Service Provider side or the Identity Provider side.
Among the prerequisites for ADFS 3.0 are:
- A publicly trusted certificate to authenticate ADFS to its clients. The ADFS service name will be assumed from the subject name of the certificate so it's important that the subject name of the certificate be assigned accordingly.
- ADFS server will need to be a member of an Active Directory domain and a domain administrator account will be needed for the ADFS configuration.
- A DNS entry will be needed to resolve the ADFS hostname by its client
A complete and detailed list of the requirements can be reviewed in the Microsoft ADFS 3.0 overview.
- Start the installation of ADFS 3.0 by going to Administrative Tools > Server Manager > Add roles and features.
- Under the Select installation type page, select Role-based or feature-based installation, then click Next.
- On the Select destination server page, select the server on which to install the ADFS service, then click Next.
- On the Select server roles page, select Active Directory Federation Services, then click Next.
- On Select features, unless there are some additional features that you want to install, leave the defaults and click Next.
- Review the information on the Active Directory Domain Services page, then click Next.
- Initiate the installation on the Confirm installation selections page.
- In your Notifications, you will have a notification alerting you that you have a Post-deployment Configuration… task remaining. Open it and click on the link to initiate the Setup Wizard.
- In the Welcome page, select Create the first federation server in a new federation server farm (unless there is an existing farm that you are adding this ADFS server too).
- On the Connect to ADFS page, select the domain admin account to perform this configuration.
- In Specify Service Properties, specify the SSL Certificate created from the prerequisites. Set the Federation Service Name and Federation Service Display Name.
- In Specify Service Account, select the account that ADFS will use.
- In the Specify Configuration Database select the database to use.
- Review the information in Pre-requisite Checks and click Configure.
Establish Trust Relationship
Each party (ADFS and LogMeIn ) will need to be configured to trust the other party. Therefore, the trust relationship configuration is a two step process.
Step #1: Configure ADFS to trust LogMeIn SAML
- Go to Administrative Tools > ADFS Management.
- In ADFS Management, use the Action drop-down menu and select Add Relying Party Trust. This will initiate the Add Relying Party Trust Wizard.
- On the Select Data Source page of the wizard, select Import data about the relying party published online or on a local area network.
- In the text box below the selected option, paste the metadata URL: https://authentication.logmeininc.com/saml/sp.
- Click Next.
- Skip the Configure Multi-factor Authentication Now? page.
- On the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party (unless another option is desired).
- Proceed through the rest of the prompts to complete this side of the trust relationship.
Add 2 claim rules
- Click on the new endpoint entry, and click Edit Claim Rules in the right navigation.
- Select the Issuance Transform Rules tab, then click Add Rule.
- Use the drop-down menu and select Send LDAP Attributes as Claims, then click Next.
- Use the following settings for the rule:
- Claim rule name – AD Email
- Attribute store – Active Directory
- LDAP Attribute – E-mail-Addresses
- Outgoing Claim Type – E-mail Address
- Click Finish.
- Click Add Rule again.
- Use the drop-down menu and select Transform an Incoming Claim menu, then click Next.
- Use the following settings:
- Claim rule name – Name ID
- Incoming claim type – E-Mail Address
- Outgoing claim type – Name ID
- Outgoing name ID Format – Email
- Select Pass through all claim values.
- Click Finish.
- Right click on the new relying party trust in the Relying Party Trusts folder and select Properties.
- Under Advanced, select SHA-1 and click OK.
- To prevent ADFS from sending encrypted assertions by default, open a Windows Power Shell command prompt and run the following command:
set-ADFSRelyingPartyTrust –TargetName "< relyingPartyTrustDisplayName >" –EncryptClaims $False
Step #2 Configure LogMeIn to trust ADFS
- Navigate to the Organization Center at https://organization.logmeininc.com and use the Identity Provider webform.
- ADFS publishes its metadata to a standard URL by default: (https://< hostname >/federationmetadata/2007-06/federationmetadata.xml).
- If this URL is publicly available on the Internet: Click the Identity Provider tab in the Organization Center, select the Automatic configuration option, then paste the URL in the text field and click Save when finished.
- If the metadata URL is not publicly available, then collect the single-sign-on URL and a certificate (for signature validation) from ADFS and submit them using the Manual configuration option in the Identity Provider tab in the Organization Center.
- To collect the necessary items, do the following:
- To collect the single sign-on service URL, open the ADFS Management window and select the Endpoints folder to display a list of the ADFS endpoints. Look for the SAML 2.0/WS-Federation type endpoint and copy the URL from its properties. Alternatively, if you have access to the standard metadata URL, display the contents of the URL in a web browser and look for the single-sign-on URL in the XML content.
- To collect the certificate for signature validation, open the ADFS Management Console and select the Certificates folder to display the certificates. Look for the Token-signing certificate, then right click on it and select View Certificate. Select the Details tab, and then the Copy to File option. Using Certificate export wizard, select the Base-64 Encoded X.509 (.Cer). Assign a name to the file to complete the export of the certificate into a file.
- Enter the single sign-on service URL and the certificate text into their respective fields into the Organization Center and click Save.
Test the configuration
- To test Identity Provider-Initiated Sign-On, go to your custom IdP URL (example: https://adfs.< my domain.com >/adfs/ls/< IdP Initiated sign on > = https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx). You should see the relying party identifier in a combobox under “Sign in to one to the following sites”.
- To test Relying Party-Initiated Sign-on, see instructions for How do I log in using single sign-on?