How to Integrate LogMeIn Central with Microsoft Active Directory
Federation Services.
Prerequisite: Set up ADFS
Set-up ADFS on your internal server network before proceeding.
A live ADFS environment with an externally addressable Microsoft
Active Directory Federation Services (ADFS) server must be configured before
implementing federated authentication for LogMeIn using ADFS.
ADFS is a software module downloaded and installed on Windows
Server operating systems to provide users with Single Sign-On access to systems
and applications located across organizational boundaries. For more
information, see:
Once installed, go to
Start > Administrative
tools > AD FS 2.0 Management.
Important: Make sure your ADFS server is configured
before you continue with the remaining tasks.
Task One: Provide information to LogMeIn
Provide the relevant information to LogMeIn and we make
adjustments on your account. Contact your LogMeIn Account Manager to begin the
ADFS process.
Verify domain ownership.
You must prove ownership of your domain before ADFS can be
activated for your account. There are two methods of verification: HTML upload
and DNS record.
Option
Procedure
Verify domain ownership by HTML
Upload
Create an html
file named
logmein-domain-confirmation.html to
the website for your planned ADFS domain.
In the
logmein-domain-confirmation.html file,
include a random string. Example:
logmein-domain-confirmation
jska7893279jkdhkkjdhask
After you have
created the
logmein-domain-confirmation.html file
containing the random string, email your LogMeIn Account Manager with the
string and they will confirm the
logmein-domain-confirmation.html is
visible and contains the correct information.
Verify domain ownership by DNS
record
Create a TXT
for your domain's DNS entry with the value
logmein-domain-confirmation.
In the
logmein-domain-confirmation.txt file,
include a random string. Example:
logmein-domain-confirmation
jska7893279jkdhkkjdhask
After you have
created the
logmein-domain-confirmation file
containing the random string, email your LogMeIn Account Manager and they will
confirm the
logmein-domain-confirmation file is
visible and contains the correct information.
Tip: If you do not have a LogMeIn Account
Manager, you can email domain-verification@logmein.com.
Provide the URL of the ADFS server.
You must provide the
endpoint URL of your ADFS proxy server to your LogMeIn
Account Manager. To find your endpoint URL:
Launch AD FS 2.0 Management by going to
Start > Administrative
tools > AD FS 2.0 Management.
Go to
Service > Edit
Federation Service Properties.
Copy the
Federation Service name and append it
with
/adfs/ls.
Provide email domains.
You must tell your LogMeIn Account Manager what email domain
you will use with your ADFS login. If you have multiple domains, you must
specify this to your LogMeIn Account Manager.
Important: Do not change your domain address. Contact
your LogMeIn Account Manager if you need to change your domain address.
Provide your Token-Signing Certificate.
You must provide your token signing certificate and provide
this information to your LogMeIn Account Manager. You can get information on
Token-Signing Certificates from
Microsoft's TechNet site.
Task Two: Establish a Trust Relationship
Add LogMeIn as a Relying Party Trust in AD FS 2.0 Management.
In AD FS 2.0 Management, open the Add Relying Party Trust
wizard by going to
Action > Add Relying
Party Trust.
Set the data as follows:
Tab
Input or
Action
Select Data Source
Select
Enter data about the relying party
manually
specify a display name
Enter the
Display name as
LogMeIn authentication
Choose Profile
Select
AD FS 2.0 profile
Configure URL
Enter the
SAML Assertion Consumer Endpoint URL:
https://accounts.logme.in/federated/saml2.aspx
Configure Identifiers
The following URL must be added to the list of
Relying party identifiers:
https://accounts.logme.in
Choose Issuance Authorization Rules
Select
Permit all users to access this relying
party
Ready to Add Trust
Select
Open the Edit Claim Rules
Finish
Select
Finish
Task Three: Allow Data to be sent to LogMeIn
Add a Transform Claim Rule for LogMeIn.
In AD FS 2.0 Management, open the Add Transform Claim Rule
Wizard by going to
Action > Edit Claim
Rules > Issuance Transform Rules > Add
Rule.
Set the data as follows:
Tab
Input or
Action
Choose Rule Type
Under
Claim rule template select
Send LDAP Attributes as Claims
Configure Claim Rule
Set
Claim rule name to
Email and name
Configure Claim Rule
Set
Attribute store to
Active Directory
Configure Claim Rule
Set the LDAP attributes as:
E-Mail-Addresses:
E-Mail Address
Given-Name:
Given Name
Surname:
Surname
Click
Finish.
Task Four: Browser Setup (Optional)
Find out what to do if the browsers do not redirect
automatically.
When users who have already authenticated to the domain try to log
in to a LogMeIn service via Internet Explorer and Chrome, the browser should
automatically recognize their intranet URL and use NTLM for FS server
authentication. If the address is not recognized as intranet, you can add the
FQDN of your ADFS to the Local intranet zone. This can be deployed to multiple
computers via Group Policy. This ensures that users who have already logged in
to the domain are able to log in to LogMeIn services with their domain email
address alone. They will not need to enter a password since they have already
been authenticated.
In
Internet Explorer, set the Local Intranet
website under
Settings > Internet
Options > Security > Local
Intranet.
In
Firefox:
Type
about:config in the URL bar and press
Enter.
Modify the
network.automatic-ntlm-auth.trusted-uris
to include the Local Intranet Website.