Set Up Enterprise Sign-In using ADFS v2.0
Your organization can easily manage thousands of users and their product access while also delivering Single Sign-On (SSO). SSO ensures your users can access their GoTo products using the same identity provider as for their other enterprise applications and environments. These capabilities are called Enterprise Sign-In.
Back to Single Sign-On Contents
This document covers configuration of your Active Directory Federation Services (ADFS) to support Single Sign-On authentication to GoTo products. Prior to implementing, however, be sure to read more about Enterprise Sign-In and complete the initial setup steps.
ADFS 2.0 is a downloadable component for Windows Server 2008 and 2008 R2. It is simple to deploy, but there are several configuration steps that need specific strings, certificates, URLs, etc. ADFS 3.0 is also supported for Enterprise Sign-In. ADFS 3.0 has several improvements, the largest of which is that Microsoft's Internet Information Services (IIS) Server is included in the deployment rather than a separate install.
Note: You may skip to Step 4 if you already have ADFS 2.0 deployed.
Step 1: Federation Service Certificate
Each ADFS deployment is identified by a DNS name (e.g., “adfs.mydomain.com). You will need a Certificate issued to this Subject Name before you begin. This identifier is an externally visible name, so make sure you pick something suitable to represent your company to partners. Also, don’t use this name as a server host name as well – it will cause trouble with Service Principal Names (SPN) registration if you do.
There are many methods to generate certificates. The easiest, if you have a Certificate Authority in your Domain, is to use the IIS 7 management console:
- Open Web Server (IIS) management snap-in.
- Select the server node in the navigation tree, then Server Certificates option.
- Select Create Domain Certificate.
- Enter your Federation Service Name in Common Name (e.g., adfs.mydomain.com).
- Select your Active Directory Certificate Authority.
- Enter a “Friendly Name” for the Certificate (any identifier will do).
Note: If you didn’t use the IIS console to generate the certificate, make sure the certificate is bound to the IIS service in the servers where you’ll be installing ADFS before proceeding.
Step 2: Create a Domain User Account
ADFS servers require that you create a domain user account to run its services (no specific groups are required).
Step 3: Install First AD FS Server
- Download ADFS 2.0 and run the installer. Make sure you run the installer as a Domain Admin – it will create SPNs and other containers in AD.
- In Server Role, select Federation Server.
- Check Start the ADFS 2.0 Management snap-in when this wizard closes at the end of the Wizard.
- In ADFS Management snap-in, click Create new Federation Service.
- Select New Federation Server farm.
- Select the Certificate you’ve created in the previous step.
- Select the Domain user you’ve created in previous steps.
Step 4: Configure Relying Party
In this step you will tell ADFS the kind of SAML tokens that the system accepts. In ADFS 2.0 MMC:
- Select Trust Relationships | Relying Party Trusts in the navigation tree.
- Choose Add Relying Party Trust and click Start.
- In Select Data Source, select Enter data about the relying party manually and click Next.
- Enter a Display name identifier (for example, GoToMeeting) and click Next.
- Select AD FS 2.0 profile and click Next.
- On Configure Certificate click Next without entering anything.
- Check Enable support for the SAML 2.0 WebSSO protocol and use one of the URLs below as the Relying party SAML 2.0 SSO Service URL:
- GoToAssist (Remote Support/Service Desk)
- Click Next.
- Select Permit all users to access this relying party and click Next.
- Review the details and click Next.
- Uncheck Open the the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close.
You should see the new relying party entry under Relying Party Trusts.
- Right-click on your new relying party and select Properties.
- Click Advanced and select SHA-1 from the Secure hash algorithm drop-down.
- Select the Signature tab and click Add.
- Download the certificate from:
- Browse to the downloaded certificate and select it.
- Select the Endpoint tab and click Add.
- Use the following settings for the new endpoint:
- Endpoint type: SAML Assertion Consumer
- Binding: POST
- Index: 1
- URL: https://login.citrixonline.com/saml/acs
- Click OK to save it.
You now add two claim rules.
- Click on the new endpoint entry, and click Edit Claim Rules on the right.
- Select the Issuance Transform Rules tab and click Add Rule.
- Select Send LDAP Attributes as Claims from the drop-down menu and click Next.
- Use the following settings for the rule:
- Claim rule name: AD Email.
- Attribute store: Active Directory.
- LDAP Attribute: E-mail-Addresses.
- Outgoing Claim Type: E-mail Address.
- Click Finish.
- Click Add Rule again.
- Select Transform an Incoming Claim from the drop-down menu and click Next.
- Use the following settings:
- Claim rule name: Name ID.
- Incoming claim type: E-Mail Address.
- Outgoing claim type: Name ID.
- Outgoing name ID Format: Email.
- Select Pass through all claim values.
- Click Finish.
You then verify or create a rule to permit user access.
- Select the Issuance Authorization Rules tab.
- Verify a rule exists named Permit Access to All Users. If it does not, use Add Rule to create the rule.
Step 5: Configure Trust
The last configuration step is to accept the SAML tokens generated by your new AD FS service.
- Use the “Identity Provider” section in the Organization Center to add the needed details.
- For ADFS 2.0, select “Automatic” configuration and enter the following URL – replacing “server” with the externally accessible hostname of your ADFS server:
Step 6: Testing Single-Server Configuration
At this point you should be able to test the configuration. You must create a DNS entry for the AD FS service identity, pointing to the AD FS server you’ve just configured, or a network load balancer if you’re using one.
- To test Identity Provider-Initiated Sign-On, go to https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx. You should see the relying party identifier in a combobox under “Sign in to one to the following sites”.
To test Relying Party-Initiated Sign-on, go to the product login page for the product you wish to sign into (such as www.gotomeeting.com) and on the sign in page, click the “Use my company ID” option.. After entering your email address, you should be redirected to the ADFS server and be prompted to log in (or if Windows Integrated Auth is used, you should be automatically logged in to GoToMeeting, GoToWebinar, GoToTraining or OpenVoice).