How to Integrate LogMeIn Central with Microsoft Active Directory Federation Services.
Prerequisite: Set up ADFS
Set-up ADFS on your internal server network before proceeding.
A live ADFS environment with an externally addressable Microsoft Active Directory Federation Services (ADFS) server must be configured before implementing federated authentication for LogMeIn using ADFS.
ADFS is a software module downloaded and installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries. For more information, see:
Once installed, go to Start > Administrative tools > AD FS 2.0 Management.
Important: Make sure your ADFS server is configured before you continue with the remaining tasks.
Task One: Provide information to LogMeIn
Provide the relevant information to LogMeIn and we make adjustments on your account. Contact your LogMeIn Account Manager to begin the ADFS process.
Verify domain ownership.
You must prove ownership of your domain before ADFS can be activated for your account. There are two methods of verification: HTML upload and DNS record.
Option
Procedure
Verify domain ownership by HTML Upload
Create an html file named logmein-domain-confirmation.html to the website for your planned ADFS domain.
In the logmein-domain-confirmation.html file, include a random string. Example: logmein-domain-confirmation jska7893279jkdhkkjdhask
After you have created the logmein-domain-confirmation.html file containing the random string, email your LogMeIn Account Manager with the string and they will confirm the logmein-domain-confirmation.html is visible and contains the correct information.
Verify domain ownership by DNS record
Create a TXT for your domain's DNS entry with the value logmein-domain-confirmation.
In the logmein-domain-confirmation.txt file, include a random string. Example: logmein-domain-confirmation jska7893279jkdhkkjdhask
After you have created the logmein-domain-confirmation file containing the random string, email your LogMeIn Account Manager and they will confirm the logmein-domain-confirmation file is visible and contains the correct information.
Tip: If you do not have a LogMeIn Account Manager, you can contact support.
Provide the URL of the ADFS server.
You must provide the endpoint URL of your ADFS proxy server to your LogMeIn Account Manager. To find your endpoint URL:
Launch AD FS 2.0 Management by going to Start > Administrative tools > AD FS 2.0 Management.
Go to Service > Edit Federation Service Properties.
Copy the Federation Service name and append it with /adfs/ls.
Provide email domains.
You must tell your LogMeIn Account Manager what email domain you will use with your ADFS login. If you have multiple domains, you must specify this to your LogMeIn Account Manager.
Important: Do not change your domain address. Contact your LogMeIn Account Manager if you need to change your domain address.
Provide your Token-Signing Certificate.
You must provide your token signing certificate and provide this information to your LogMeIn Account Manager. You can get information on Token-Signing Certificates from Microsoft's TechNet site.
Task Two: Establish a Trust Relationship
Add LogMeIn as a Relying Party Trust in AD FS 2.0 Management.
In AD FS 2.0 Management, open the Add Relying Party Trust wizard by going to Action > Add Relying Party Trust.
Set the data as follows:
Tab
Input or Action
Select Data Source
Select Enter data about the relying party manually
specify a display name
Enter the Display name as LogMeIn authentication
Choose Profile
Select AD FS 2.0 profile
Configure URL
Enter the SAML Assertion Consumer Endpoint URL: https://accounts.logme.in/federated/saml2.aspx
Configure Identifiers
The following URL must be added to the list of Relying party identifiers: https://accounts.logme.in
Choose Issuance Authorization Rules
Select Permit all users to access this relying party
Ready to Add Trust
Select Open the Edit Claim Rules
Finish
Select Finish
Task Three: Allow Data to be sent to LogMeIn
Add a Transform Claim Rule for LogMeIn.
In AD FS 2.0 Management, open the Add Transform Claim Rule Wizard by going to Action > Edit Claim Rules > Issuance Transform Rules > Add Rule.
Set the data as follows:
Tab
Input or Action
Choose Rule Type
Under Claim rule template select Send LDAP Attributes as Claims
Configure Claim Rule
Set Claim rule name to Email and name
Configure Claim Rule
Set Attribute store to Active Directory
Configure Claim Rule
Set the LDAP attributes as:
E-Mail-Addresses: E-Mail Address
Given-Name: Given Name
Surname: Surname
Click Finish.
Task Four: Browser Setup (Optional)
Find out what to do if the browsers do not redirect automatically.
When users who have already authenticated to the domain try to log in to a LogMeIn service via Internet Explorer and Chrome, the browser should automatically recognize their intranet URL and use NTLM for FS server authentication. If the address is not recognized as intranet, you can add the FQDN of your ADFS to the Local intranet zone. This can be deployed to multiple computers via Group Policy. This ensures that users who have already logged in to the domain are able to log in to LogMeIn services with their domain email address alone. They will not need to enter a password since they have already been authenticated.
In Internet Explorer, set the Local Intranet website under Settings > Internet Options > Security > Local Intranet.
In Firefox:
Type about:config in the URL bar and press Enter.
Modify the network.automatic-ntlm-auth.trusted-uris to include the Local Intranet Website.
US Canada: 1-866-478-1805