product icon

Using ADFS with join.me

Step-by-step instructions on how to Integrate join.me with Microsoft Active Directory Federation Services.

Prerequisite: Set up ADFS

A live ADFS environment with an externally addressable Microsoft Active Directory Federation Services (ADFS) server must be configured before implementing federated authentication for join.me using ADFS.

ADFS is a software module downloaded and installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries.

For more information, see:

  1. Set-up ADFS on your internal server network.
  2. Once installed, go to Start > Administrative tools > AD FS 2.0 Management.
What to do next:
Important: Make sure your ADFS server is configured before you continue with the remaining tasks.

Task One: Provide information to join.me

Before you begin:

Provide the relevant information to GoTo and we make adjustments on your account. Contact your join.me Account Manager to begin the ADFS process.

  1. Verify domain ownership.
    You must prove ownership of your domain before ADFS can be activated for your account. There are two methods of verification: HTML upload and DNS record.
    Option Procedure
    Verify domain ownership by HTML Upload
    1. Create an html file named logmein-domain-confirmation.html for the website for your planned ADFS domain.
    2. In the logmein-domain-confirmation.html file, include a random string. For example: logmein-domain-confirmation jska7893279jkdhkkjdhask.
    3. After you have created the logmein-domain-confirmation.html file containing the random string, send the string via email to your GoTo Account Manager. They will confirm the logmein-domain-confirmation.html file is visible and contains the correct information.
    Verify domain ownership by DNS record
    1. Create a text file for your domain's DNS entry with the name logmein-domain-confirmation.txt.
    2. In the logmein-domain-confirmation.txt file, include a random string. For example: logmein-domain-confirmation jska7893279jkdhkkjdhask.
    3. After you have created the logmein-domain-confirmation.txt file containing the random string, send the string via email to your GoTo Account Manager. They will confirm the logmein-domain-confirmation.html file is visible and contains the correct information.

    Tip: If you do not have a join.me Account Manager, select Contact Support.

  2. Provide the endpoint URL of your ADFS proxy server to your join.me Account Manager. To find your endpoint URL:
    1. Launch AD FS 2.0 Management by going to Start > Administrative tools > AD FS 2.0 Management.
    2. Go to Service > Edit Federation Service Properties.
    3. Copy the Federation Service name and append it with /adfs/ls.
  3. Tell your join.me Account Manager what email domains you will use with your ADFS login.
    Important: Do not change your domain address. Contact your join.me Account Manager if you need to change your domain address.
  4. Send your token-signing certificate to your join.me Account Manager.
    For information on token-signing certificates see Microsoft's TechNet site.

Task Two: Establish a Trust Relationship

Add join.me as a Relying Party Trust in AD FS 2.0 Management.

  1. In AD FS 2.0 Management, open the Add Relying Party Trust wizard by going to Action > Add Relying Party Trust.
  2. Set the data as follows:
    Tab Input or Action
    Select Data Source Select Enter data about the relying party manually
    Specify a display name Enter the Display name as join.me authentication
    Choose Profile Select AD FS 2.0 profile
    Configure URL Enter the SAML Assertion Consumer Endpoint URL: https://accounts.logme.in/federated/saml2.aspx
    Configure Identifiers The following URL must be added to the list of Relying party identifiers: https://accounts.logme.in
    Choose Issuance Authorization Rules Select Permit all users to access this relying party
    Ready to Add Trust Select Open the Edit Claim Rules
  3. Click Finish.

Task Three: Allow Data to be sent to join.me

Add a Transform Claim Rule for join.me.

  1. In AD FS 2.0 Management, open the Add Transform Claim Rule Wizard by going to Action > Edit Claim Rules > Issuance Transform Rules > Add Rule.
  2. Set the data as follows:
    Tab Input or Action
    Choose Rule Type Under Claim rule template select Send LDAP Attributes as Claims
    Configure Claim Rule
    1. Set Claim rule name to Email and name
    2. Set Attribute store to Active Directory
    3. Set the following LDAP attributes:
      E-Mail-Addresses
      E-Mail Address
      Given-Name
      Given Name
      Surname
      Surname
  3. Click Finish.

Task Four (Optional): Browser Setup

Find out what to do if the browsers do not redirect automatically.

When users who have already authenticated to the domain try to log in to a GoTo service via Internet Explorer or Chrome, the browser should automatically recognize their intranet URL and use NTLM for FS server authentication.

If the address is not recognized as intranet, you can add the FQDN of your ADFS to the Local intranet zone. This can be deployed to multiple computers via Group Policy. This ensures that users who have already logged in to the domain are able to log in to GoTo services with their domain email address alone. They will not need to enter a password since they have already been authenticated.

Set the local intranet website.
  • In Internet Explorer, set the Local Intranet website under Settings > Internet Options > Security > Local Intranet.
  • In Firefox:
    1. Type about:config in the URL bar and press Enter.
    2. Modify the network.automatic-ntlm-auth.trusted-uris to include the local intranet website.
    3. Click OK.