Manual Single Sign On Configuration
Once you have an organization set up with organization users associated with user accounts, you can configure SAML-based Single Sign-On (SSO) for your users through an external Identity Provider (IdP). The IdP can be a service such as Active Directory Federation Services (ADFS); a third-party provider such as OneLogin, Okta, Azure, etc.; or a custom solution. Once configured, your users can sign in either from the Identity Provider’s website or from your GoTo product’s website using the Use my company ID link in the GoTo sign in form.
Back to Single Sign-On Contents
We offer specific documentation for:
Many Identity and Access Management Vendors provide GoTo-specific documentation to configure SSO.
For other providers, or a custom SAML IdP, the below information can aid in configuration.
In general, the process is:
1. Enabling the application integration for GoToMeeting
2. Configuring single sign-on
3. Configuring user provisioning - optional
4. Assigning users
The Identity provider interface supports the various configurations. It provides the capability to configure automatically using a metadata URL, by uploading a SAML metadata file, or manually with sign-in and sign-out URLs, an identity provider ID and an uploaded verification certificate.
General Identity Provider Setup Overview
A trust-relationship between two relying parties has been established when each party has acquired the necessary metadata about the partner for execution of a SAML Single Sign-On. At each relying party, the configuration information can be input dynamically or manually, depending on the interface offered by the IdP.
When introducing the GoTo SAML Service’s metadata at the IdP, you may be given an option to add a new Service Provider via metadata. In this case, you can simply populate the metadata URL field with:
In the event your IdP requires manual input of information, you’ll need to manually enter the parts of the metadata. Depending on your IdP, it may ask for different pieces of information or call these fields different things. To start, here are some of the configuration values that should be entered if your IdP asks for them. Then, depending on your IdP's support for s feature called RelayState, there will be additional values to input.
- EntityID - The GoTo SAML Service’s entityID is the metadata url. The IdP may sometimes refer to it as the IssuerID or the AppID.
- Audience - This is the EntityID of the GoTo SAML Service. An IdP may refer to it as the Audience Restriction. This should be set to:
- Single Logout URL - The destination of a logout request or logout response from the IdP:
- NameID format - The type of the subject identifier to be returned in the Assertion. The GoTo SAML Service expects:
When accessing products through an IdP-initiated sign in, some IdPs support a feature known as “RelayState”, which allows you to drop users directly into the specific GoTo product on which you want them to land. To configure this, the following fields, if requested by your IdP configuration should be set accordingly. Some IdPs refer to these fields by different names. Where possible, we have included alternative names that some IdPs use for these fields.
- Assertion Consumer Service URL - The URL where authentication responses (containing assertions) are returned to. The IdP may also refer to this as the ACS URL, the Post Back Url, the Reply URL, or the Single Sign On URL.
If your IdP supports the RelayState feature, all of the above fields (where requested by your IdP - not all IdPs will ask for all fields) should be populated with:
You can then set a per-product RelayState to allow routing to different products from your IdP application catalog. Below are the RelayState values to set for GoTo products:
- GoToAssist (Remote Support/Service Desk)
If your IdP does not support the RelayState feature, there will be no RelayState value to set. Instead, set the ACS values above (ACS URL, Recipient, Destination) to the following values per product:
- GoToAssist (Remote Support/Service Desk)
During manual configuration of the GoTo SAML Service at the IdP, you may be presented with some additional options. Here is a list of potential options you may be presented and what you should set them to.
- Sign assertion or response
- Activate this option, the GoTo SAML service requires the IdP’s signature on the response.
- Encrypt assertion or response
- Deactivate this option, currently the SAML service is not processing encrypted assertions.
- Include SAML Conditions
- Activate this option, it’s required by the SAML Web SSO profile. This is a SecureAuth option.
- SubjectConfirmationData Not Before
- Deactivate this option, required by the SAML Web SSO profile. This is a SecureAuth option.
- SAML Response InResponseTo
- Activate this option. This is a SecureAuth option.