Set Up a Custom Enterprise Sign-In Configuration

One of the options for implementing Enterprise Sign-In (single sign-on) is to set up a custom configuration using the Identity Provider tab within the Organization Center. This is most commonly used by companies that use a third-party provider that doesn't offer a pre-configured single sign-on package, or that need a custom SAML Identity Provider.

LogMeIn offers Enterprise Sign-In, which is a SAML-based single sign-on (SSO) option that allows users to log in to their LogMeIn product(s) using their company-issued username and password, which is the same credentials they use when accessing other systems and tools within the organization (e.g., corporate email, work-issued computers, etc.). This provides a simplified login experience for users while allowing them to securely authenticate with credentials they know.

The Identity Provider tab within the Organization Center supports various configurations. IT Administrators can configure automatically using a metadata URL or uploading a SAML metadata file, or configure manually with sign-in and sign-out URLs, an identity provider ID and an uploaded verification certificate.

General Identity Provider Setup Overview

A trust-relationship between two relying parties has been established when each party has acquired the necessary metadata about the partner for execution of a SAML Single Sign-On. At each relying party, the configuration information can be input dynamically or manually, depending on the interface offered by the IdP.

When introducing the LogMeIn SAML Service's metadata at the IdP, you may be given an option to add a new Service Provider via metadata. In this case, you can simply populate the metadata URL field with:

In the event your IdP requires manual input of information, you'll need to manually enter the parts of the metadata. Depending on your IdP, it may ask for different pieces of information or call these fields different things. To start, here are some of the configuration values that should be entered if your IdP asks for them. Then, depending on your IdP's support for s feature called RelayState, there will be additional values to input.

  • EntityID ? The LogMeIn SAML Service's entityID is the metadata url. The IdP may sometimes refer to it as the IssuerID or the AppID. (
  • Audience ? This is the EntityID of the GoTo SAML Service. An IdP may refer to it as the Audience Restriction. This should be set to:
  • Single Logout URL ? The destination of a logout request or logout response from the IdP:
  • NameID format ? The type of the subject identifier to be returned in the Assertion. The LogMeIn SAML Service expects: EmailAddress

When accessing products through an IdP-initiated sign in, some IdPs support a feature known as "RelayState", which allows you to drop users directly into the specific LogMeIn product on which you want them to land. To configure this, the following fields, if requested by your IdP configuration should be set accordingly. Some IdPs refer to these fields by different names. Where possible, we have included alternative names that some IdPs use for these fields.

  • Assertion Consumer Service URL ? The URL where authentication responses (containing assertions) are returned to. The IdP may also refer to this as the ACS URL, the Post Back URL, the Reply URL, or the Single Sign On URL.
  • Recipient
  • Destination

If your IdP supports the RelayState feature, all of the above fields (where requested by your IdP - not all IdPs will ask for all fields) should be populated with:

You can then set a per-product RelayState to allow routing to different products from your IdP application catalog. Below are the RelayState values to set for LogMeIn products:

If your IdP does not support the RelayState feature, there will be no RelayState value to set. Instead, set the ACS values above (ACS URL, Recipient, Destination) to the following values per product

During manual configuration of the LogMeIn SAML Service at the IdP, you may be presented with some additional options. Here is a list of potential options you may be presented and what you should set them to.

  • Sign assertion or response
    • Activate this option, the LogMeIn SAML service requires the IdP's signature on the response.
  • Encrypt assertion or response
    • Deactivate this option, currently the SAML service is not processing encrypted assertions.
  • Include SAML Conditions
    • Activate this option, it's required by the SAML Web SSO profile. This is a SecureAuth option.
  • SubjectConfirmationData Not Before
    • Deactivate this option, required by the SAML Web SSO profile. This is a SecureAuth option.
  • SAML Response InResponseTo
    • Activate this option. This is a SecureAuth option.