RescueAssist · using the Active Directory Connector (Step #4) and/or Enterprise Sign-In (SSO). Set Up Domains in the Organization Center The first step you take in creating an organization

LogMeIn, Inc.

320 Summer St., Boston MA 02210

© 2018 LogMeIn, Inc. All rights reserved.

https://support.logmeininc.com

RescueAssist

Active Directory Connector & Enterprise Sign-In

Setup Guide

https://support.logmeininc.com/

© 2018 LogMeIn Inc.

1

Contents

Using the Organization Center .................................................................................. 2

Set Up Domains in the Organization Center .............................................................. 2

Adding a TXT Record to a DNS Server ..................................................................... 4

Manage Organization Users ..................................................................................... 7

Set Up Enterprise Sign-In ......................................................................................... 9

Before you get started... ..................................................................................... 9

Step #1: Set up an organization ......................................................................... 9

Step #2: Configure your Identity Provider ........................................................... 9

Step #3: Add your Identity Provider to the Organization Center .......................... 9

Step #4: Test your Enterprise Sign-In environment ............................................. 9

Step #5: Inform your users they can sign in using "My Company ID" .................. 9

Set Up an Identity Provider ....................................................................................... 9

Add Your Identity Provider to the Organization Center ............................................ 10

Sign In with Your Company ID ................................................................................ 12

Set Up a Custom Enterprise Sign-In Configuration .................................................. 13

Set Up Enterprise Sign-In Using ADFS 2.0 ............................................................. 15

Set Up Enterprise Sign-In using ADFS 3.0 .............................................................. 17

Step #1: Configure ADFS to trust LogMeIn SAML ............................................ 18

Step #2. Configure LogMeIn to trust ADFS....................................................... 19

Automated Provisioning Options ............................................................................. 20

Set Up Automated User and Product Provisioning .................................................. 21

Active Directory Connector v2 ................................................................................. 21

Active Directory Connector v2 Requirements .......................................................... 22

Install Active Directory Connector v2 ....................................................................... 23

Configure the Active Directory Connector v2 ........................................................... 25

Why am I getting an "Insufficient Permissions" error message? ............................... 27

Run the Active Directory Connector v2 .................................................................... 28

Manage Custom Attributes...................................................................................... 29

Manage User Sync Rules ....................................................................................... 30

Update the Active Directory Connector ................................................................... 35


2

Using the Organization Center

The Organization Center provides you with the ability to set up automated provisioning using the Active Directory Connector and/or Enterprise Sign-In (single sign-on) for your users. An organization is created when you verify ownership of one or more valid and unexpired domain(s) by registering the domain(s) with LogMeIn. Once your domain ownership has been verified, your organization is automatically created. This allows you to manage sign-in options for user identities that match your

verified email domain(s).

To set up automated provisioning or single sign-on (SSO), you must set up an organization using the

steps below.

Before you get started...

You are required to have a LogMeIn product account in order to proceed.

Step #1: Set up your first domain

To get started, set up your initial domain, which will match the email domain of your users when

they sign in to their RescueAssist account.

Step #2: Add more organization users (optional)

If desired, you can add more organization admins who will be able to manage the Organization Center. Additional admins can assist in adding domains, users, and configuring your Identity

provider if you plan on setting up Enterprise Sign-In.

Step #3: Set up automated provisioning and/or Enterprise Sign-In (SSO)

Now that you have created your organization, you can proceed to set up automated provisioning using the Active Directory Connector (Step #4) and/or Enterprise Sign-In (SSO).

Set Up Domains in the Organization Center

The first step you take in creating an organization is to create the initial domain. Domains within your organization are wholly-owned email domains that your admins can verify either through your web service or DNS server. For example, in the email [email protected], "main.com" is the email domain. Verifying the initial domain automatically creates your organization. The user who completes domain verification will automatically become an organization admin, but this user is not required to have a LogMeIn product

admin role.


3

Set up your first domain

Once you start the verification process for a domain, you have ten (10) days to complete the verification. If this period lapses, the domain is set to Expired, but you have the option to simply restart the process using new verification codes. Once you have verified a domain, you cannot delete it from your

organization, though it can be deleted prior to being verified or after it has expired.

1. Log in to the Organization Center at https://organization.logmeininc.com. 2. Log in using an existing LogMeIn account set up under the same domain you wish to add to

your organization. 3. The first screen will ask that you verify that you own the domain that you logged in with.

You are provided 2 methods for setting up domain validation, each of which uses a unique verification code to complete the verification. Copy the verification value to your clipboard.

Note: The verification screen will display until the domain is verified. If it takes you longer than 10 days to verify the domain, the system will automatically generate new verification codes for your domain the next time you visit the Organization Center.

4. Paste the verification code into the DNS record or a text file for upload to one of the locations, depending on which of the verification methods you choose:

• Method 1: Add a DNS record to your domain zone file

To use the DNS method, you place a DNS record at the level of the email domain within your DNS zone. Typically, users are verifying a “root” or “second level” domain such as “main.com”. In this case, the record would resemble:

@ IN TXT “logmein-verification-code=668e156b-f5d3-430e-

9944-f1d4385d043e”

OR

main.com. IN TXT “logmein-verification-code=668e156b-

f5d3-430e-9944-f1d4385d043e”

If you require a third-level domain (or subdomain) such as “mail.example.com” the

record must be placed at that subdomain, such as:

mail.main.com. IN TXT “logmein-verification-

code=668e156b-f5d3-430e-9944-f1d4385d043e”

For more detailed documentation, see Add a TXT DNS record.

• Method 2: Upload a web server file to the specified website

Upload a plain-text file to your web server root containing a verification string. There should not be any whitespace or other characters in the text file besides those given.

• Location: http://<yourdomain>/logmein-verification-code.txt

• Contents: logmein-verification-code=668e156b-f5d3-430e-9944-f1d4385d043e

5. Once you have added the DNS record or text file, return to the domain status screen and click Verify. You will see the domain verified the next time you log in.

Once your base domain is verified, you can continue configuring your set up as follows:

• Add more domains (if desired)

• Set up an Identity Provider to enable single sign-on

• Add or delete organization users and admins

Add additional domains

Most companies will only need the first domain they add. You only need to add additional domains if users within your company sign in using other email domains but the same Identity Provider.

https://organization.logmeininc.com/


4

1. Log in to the Organization Center at https://organization.logmeininc.com. 2. Go to the Email Domains tab, then click Add a domain. 3. Enter the email domain and click Next.

4. Repeat the steps detailed in Set up your first domain above.

Note: During the period of verification, the Email Domains tab displays the status of each domain.

Delete a domain

The option to delete a domain is only available while the domain is not yet verified or has expired. Once a

domain is verified it cannot be deleted from your organization.

1. Log in to the Organization Center at https://organization.logmeininc.com. 2. Go to In the Email Domains tab. 3. Select a domain using the checkbox by the domain name. 4. Click Delete domain. 5. In the verification dialog, click Yes, Delete.

Adding a TXT Record to a DNS Server

In order to define a domain organization with LogMeIn, you need to validate your company's ownership of specific email domains. One option is to add a text record to your domain's DNS settings. LogMeIn can then query the server and receive confirmation back of your ownership. Alternately, you can upload a plain-text file to your web server root containing a verification string. For more information, please see Set

Up Domains in the Organization Center.

A TXT record contains information specifically intended for sources outside your domain. The text can be either human- or machine-readable and can be used for a variety of purposes including verifying domain

ownership, authorizing senders with SPF, adding digital email signatures, and preventing outgoing spam.

Note: If you have multiple domains to verify, you will need to add a text record for each domain.

Identify your domain host

If you do not know who is hosting your domain, there is a simple method for finding out. The following example uses the online utility site Whois.

1. Open https://whois.com.

2. Click Whois and enter the domain name. Click Search.



https://whois.com/


5

3. In the results, locate the name server for the site (e.g., CDCSERVICES.com). This is the domain host.

Add a TXT record

1. The method to add a text record to your domain will vary with hosts. The generic steps to add a text record to your domain are:

2. Sign in to your domain's account at your domain host. 3. Locate the page for updating your domain's DNS records. The page might be called

something like DNS Management, Name Server Management, or Advanced Settings. 4. Locate the TXT records for your domain on this page. 5. Add a TXT record for the domain and for each subdomain. See Use cases. 6. Save your changes and wait until they take effect. This is generally very fast - less than a

minute - but may take as much as 72 hours. 7. You can verify that the change has taken place. Open a command window on your system:

For Unix and Linux systems:

$ dig TXT main.com

For Windows systems:

c:\> nslookup -type=TXT main.com

8. The response will display on its own line (not appended to another), and will look something like:

main.com. 3600 IN TXT "logmein-verification-code=976afe6f-8039-40e4-95a5-

261b462c9a36"


6

Use cases

Domain verification for domain main.com (2 different methods shown).

Name TTL*

Type

Value / Answer / Destination

@ 3600 IN TXT

"logmein-verification-code=976afe6f-8039-40e4-95a5-

261b462c9a36”

main.com 3600 IN TXT

"logmein-verification-code=976afe6f-8039-40e4-95a5-

261b462c9a36”

Subdomain verification for mail.main.com.

Name TTL* Type Value / Answer / Destination

mail.main.com 3600 IN TXT “logmein-verification-code=976afe6f-8039-40e4-95a5-261b462c9a36”

* TTL - Time To Live - is the number of seconds before changes to the TXT record go into effect.


7

Manage Organization Users

Organization users are individuals who have an email address within the verified domain and have been added with specific access permissions (roles) to the Organization Center. Organization users who have

been granted an admin role are referred to as organization admins.

The Users tab in the Organization Center provides access to your organization users. Each user has one

of the following roles:

• Admin (Read & Write) – Individuals who can log in to the Organization Center and manage all

settings. They may or may not be LogMeIn account holders themselves.

• Admin (Ready Only) – Individuals who can log in to the Organization Center and view settings,

but not modify them. They may or may not be LogMeIn account holders themselves.

• User – Individuals with LogMeIn accounts who use Enterprise Sign-In, but do not need

Organization Center access.

You can add, delete, and update organization users. If the user already has an account ID (an account for GoToMeeting, for instance), you must still add them to the organization. They can then authenticate through its IdP, and because their ID is a company ID, they can no longer change their own email address. If they do not have a product account login, they are provisioned with one but it is not associated with a specific product unless you have set up your system to do this through a user provisioning service like the Active Directory Connector, manually in the Admin Center, or programmatically using automated

provisioning.


8

Add users

Users are defined by name, email, locale, and role.

1. Log in to the Organization Center at https://organization.logmeininc.com. 2. Select the Users tab and click Add.

3. Enter the new user data:

• The user email domain must be one of your verified organization domains.

• Available locales display in a drop-down.

• Role relates to the Organization Center. No role is appropriate for most users: they have no access to the Organization Center. A read-only role allows a user into the Center with full access to view the data, but with no ability to create or edit data. Read-write access enables full admin access to the Center.

4. Click Save when finished.

Note: Organization Admins can edit their own first name, last name, and email, but not their ro le, and they cannot delete themselves.

Delete users

Delete removes the user from the organization. Delete also removes the user’s account ID, and therefore any product access as well all product data such as their meeting history, future scheduled meetings, etc. You could alternately remove product access from the user in the Admin Center to revoke access while

retaining the data.

1. Log in to the Organization Center at https://organization.logmeininc.com. 2. Select the Users tab. 3. Select the check box next to the desired user and click Delete. 4. When prompted, click Delete to confirm.

Filter by name or email

The filter option above the Role column allows you to search for any text string in the emails or names of

users.




9

Set Up Enterprise Sign-In

LogMeIn offers Enterprise Sign-In, which is a SAML-based single sign-on (SSO) option that allows your users to log in to their LogMeIn product(s) using their company-issued username and password, which is the same credentials they use when accessing other systems and tools within your organization (e.g., their corporate email, work-issued computers, etc.). This provides a simplified login experience for your

users while allowing them to securely authenticate with credentials they know.

Before you get started...

You are required to have a LogMeIn product account in order to proceed, but this user is not

required to have a LogMeIn product admin role.

Step #1: Set up an organization

Create your organization by verifying at least 1 domain used by your company.

Step #2: Configure your Identity Provider

Configure an Identity Provider (IdP) from 1 of our single sign-on options, if you have not already set one up. If you have already set one up, you can proceed to Step #3.

Step #3: Add your Identity Provider to the Organization Center

Add your configured Identity Provider to the Organization Center to indicate where you want your

users to go to sign in to their assigned LogMeIn products.

Step #4: Test your Enterprise Sign-In environment

Sign in to your RescueAssist account to test your newly established Enterprise Sign-In setup.

Step #5: Inform your users they can sign in using "My Company ID"

You're all set! Once Enterprise Sign-In is set up, your users will receive a Welcome email that contains their Company ID (username) that they can now use to sign in to their RescueAssist

account.

Set Up an Identity Provider

An Identity Provider (IdP) is a trusted online service or website that creates and maintains user identity information within a distributed network while also acting as a means of authentication for these users to access services. This will allow users in your validated email domains to be authenticated for sign-on through your Identity Provider. Once you have set up an organization, the next step is to finalize the trust

relationship between your company and LogMeIn to enable Enterprise Sign-In (SSO) for your users.

If you have not already established an Identity Provider, you can set up one of the following:

• Implement the Microsoft Active Directory Federation Services (AD FS)

Active Directory Federation Services is a feature of the Windows Server operating system that extends user's Windows sign-on access to other applications outside the corporate network. You can configure AD FS to work as an Identity Provider for LogMeIn's products. Learn how to

configure AD FS 2.0 or AD FS 3.0.


10

• Use a third-party Identity and Access Management Provider that provides single sign-on

Many third-party Identity and Access Management partners offer single-sign on as part of their

feature set, including:

• Azure AD

• Okta

• OneLogin

• Active Directory Federated Services (ADFS) v2.0 | v3.0

• RSA

• SecureAuth v 6.0-7.5 | version 8.0 | version 8.1

• Set up a custom configuration using the Organization Center

You can use the Identity Provider tab in the Organization Center to set up a custom

SAML configuration. Learn how to set up a custom Enterprise Sign-In configuration.

NEXT STEP: You will need to add your Identity Provider to the Organization Center to indicate where you want your users to go to sign in to their assigned LogMeIn products.

Add Your Identity Provider to the Organization Center

The Identity Provider tab within the Organization Center lets you configure your Identity Provider (IdP) relationship to establish Enterprise Sign-In (SSO) for your organization's users. Whichever single sign-on configuration method you choose, you must finalize the relationship with LogMeIn using the Identity

Provider tab to complete the setup.

You can set up this configuration either automatically or manually – you cannot do both. If you save one

after the other, the last save is accepted.

Add your Identity Provider automatically

The easiest and most robust way to configure SSO is to use a link to your Identity Provider's metadata file if they provide one. The metadata contains additional information that the IdP can use to make the transaction more secure. In addition, since the metadata file is generated, the method is less prone to

typographical errors.

1. Log in to the Organization Center at https://organization.logmeininc.com. 2. In the Identity Provider tab, choose Automatic. 3. Enter the Metadata URL for your Identity Provider. 4. Click Save. The metadata file is uploaded and configures the relationships correctly.

NEXT STEP: Once your IdP has been added, you are all set! You can now sign in with your Company ID using single sign-on.

https://docs.microsoft.com/en-us/azure/active-directory/

https://www.okta.com/free/gotomeeting/

https://support.onelogin.com/hc/en-us/sections/200245384-Additional-SAML-SSO-Integration-Guides

https://community.rsa.com/community/products/securid/securid-access/integrations

https://docs.secureauth.com/x/jgHy

https://docs.secureauth.com/x/lIKzAQ

https://docs.secureauth.com/x/kgMBAg



11

Add your Identity Provider manually

Not all IdPs support a metadata implementation. To set up a manually configured IdP relationship, you enter key data that will get built into the SAML assertions.

1. Log in to the Organization Center at https://organization.logmeininc.com. 2. In the Identity Provider tab, select Manual from the drop-down menu.

3. Enter the data provided by your Identity Provider:

• Sign-in page URL – The IdP’s landing page for authentication requests, which is the full Identity Provider URL path. It must begin with https://.

• Sign-in binding – Select Redirect or POST.

• Sign-out page URL(Optional) – This is the URL where the user is redirected upon log-out.

• Sign-out binding (Optional) – Select Redirect or POST.

• Identity Provider Entity ID – Location of the globally unique name for your IdP as a

SAML entity.

• Verification certificate – The IdP’s public certificate used to verify incoming

responses from the IdP. You can add it in either of the following ways:

• Copy and paste the text of the certificate. It is required that the field starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

• Click Upload certificate to import the certificate from a saved location. 4. When finished, click Save. The configuration is stored in the LogMeIn account service.

NEXT STEP: Once your IdP has been added, you are all set! You can now sign in with your Company ID using single sign-on.



12

Sign In with Your Company ID

Once you have completed all of the steps for setting up Enterprise Sign-In, you can log in to and get

redirected to your Identity Provider page, as follows:

1. On the RescueAssist sign in screen or on the My Account page at https://myaccount.logmeininc.com, click My Company ID.

2. Enter your validated company email address, then click Continue.

3. You are now redirected to your Identity Provider's sign in page. Enter your company username and password and sign in.

https://myaccount.logmeininc.com/


13

Set Up a Custom Enterprise Sign-In Configuration

One of the options for implementing Enterprise Sign-In (SSO) is to set up a custom configuration using the Identity Provider tab within the Organization Center. This is most commonly used by companies that use a third-party provider that doesn't offer a pre-configured single sign-on package, or that need a

custom SAML Identity Provider.

LogMeIn offers Enterprise Sign-In, which is a SAML-based single sign-on (SSO) option that allows your users to log in to their LogMeIn product(s) using their company-issued username and password, which is the same credentials they use when accessing other systems and tools within your organization (e.g., their corporate email, work-issued computers, etc.). This provides a simplified login experience for your

users while allowing them to securely authenticate with credentials they know. Learn more.

The Identity Provider tab within the Organization Center supports various configurations. IT Administrators can configure automatically using a metadata URL or uploading a SAML metadata file, or configure manually with sign-in and sign-out URLs, an identity provider ID and an uploaded verification

certificate.


14

General Identity Provider Setup Overview

A trust-relationship between two relying parties has been established when each party has acquired the necessary metadata about the partner for execution of a SAML Single Sign-On. At each relying party, the configuration information can be input dynamically or manually, depending on the interface offered by the

IdP.

When introducing the LogMeIn SAML Service’s metadata at the IdP, you may be given an option to add a

new Service Provider via metadata. In this case, you can simply populate the metadata URL field with:

https://authentication.logmeininc.com/saml/sp

In the event your IdP requires manual input of information, you’ll need to manually enter the parts of the metadata. Depending on your IdP, it may ask for different pieces of information or call these fields different things. To start, here are some of the configuration values that should be entered if your IdP asks for them. Then, depending on your IdP's support for s feature called RelayState, there will be

additional values to input.

• EntityID - The LogMeIn SAML Service’s entityID is the metadata url. The IdP may sometimes refer

to it as the IssuerID or the AppID.


• Audience - This is the EntityID of the GoTo SAML Service. An IdP may refer to it as the Audience

Restriction. This should be set to:


• Single Logout URL - The destination of a logout request or logout response from the IdP:

https://authentication.logmeininc.com/saml/SingleLogout

• NameID format - The type of the subject identifier to be returned in the Assertion. The LogMeIn SAML Service expects:

EmailAddress

When accessing products through an IdP-initiated sign in, some IdPs support a feature known as “RelayState”, which allows you to drop users directly into the specific LogMeIn product on which you want them to land. To configure this, the following fields, if requested by your IdP configuration should be set accordingly. Some IdPs refer to these fields by different names. Where possible, we have included

alternative names that some IdPs use for these fields.

• Assertion Consumer Service URL - The URL where authentication responses (containing assertions) are returned to. The IdP may also refer to this as the ACS URL, the Post Back Url, the Reply URL, or the Single Sign On URL.

• Recipient

• Destination

If your IdP supports the RelayState feature, all of the above fields (where requested by your IdP - not all IdPs will ask for all fields) should be populated with:

https://authentication.logmeininc.com/saml/acs

You can then set a per-product RelayState to allow routing to different products from your IdP application

catalog. Below is the RelayState value to set:

• RescueAssist

https://console.gotoassist.com

If your IdP does not support the RelayState feature, there will be no RelayState value to set. Instead, set

the ACS value above (ACS URL, Recipient, Destination) to the following value:

• RescueAssist https://authentication.logmeininc.com/saml/console.gotoassist.com/acs


15

During manual configuration of the LogMeIn SAML Service at the IdP, you may be presented with some additional options. Here is a list of potential options you may be presented and what you should set them to.

• Sign assertion or response

• Activate this option, the LogMeIn SAML service requires the IdP’s signature on the response.

• Encrypt assertion or response

• Deactivate this option, currently the SAML service is not processing encrypted assertions.

• Include SAML Conditions

• Activate this option, it’s required by the SAML Web SSO profile. This is a SecureAuth option.

• SubjectConfirmationData Not Before

• Deactivate this option, required by the SAML Web SSO profile. This is a SecureAuth option.

• SAML Response InResponseTo

• Activate this option. This is a SecureAuth option.

Set Up Enterprise Sign-In Using ADFS 2.0

Your organization can easily manage thousands of users and their product access while also delivering Single Sign-On (SSO). SSO ensures your users can access their LogMeIn products using the same identity provider as for their other enterprise applications and environments. These capabilities are called

Enterprise Sign-In.

This document covers configuration of your Active Directory Federation Services (ADFS) to support Single Sign-On authentication to LogMeIn products. Prior to implementing, however, be sure to read

more about Enterprise Sign-In and complete the initial setup steps.

ADFS 2.0 is a downloadable component for Windows Server 2008 and 2008 R2. It is simple to deploy, but there are several configuration steps that need specific strings, certificates, URLs, etc. ADFS 3.0 is also supported for Enterprise Sign-In. ADFS 3.0 has several improvements, the largest of which is that Microsoft's Internet Information Services (IIS) Server is included in the deployment rather than a separate

install.

Note: You may skip to Step 4 if you already have ADFS 2.0 deployed.

Step #1: Federation service certificate

Each ADFS deployment is identified by a DNS name (e.g., “adfs.mydomain.com). You will need a Certificate issued to this Subject Name before you begin. This identifier is an externally visible name, so make sure you pick something suitable to represent your company to partners. Also, don’t use this name as a server host name as well – it will cause trouble with Service Principal Names (SPN) registration if

you do.

There are many methods to generate certificates. The easiest, if you have a Certificate Authority in your

Domain, is to use the IIS 7 management console:

1. Open Web Server (IIS) management snap-in. 2. Select the server node in the navigation tree, then Server Certificates option. 3. Select Create Domain Certificate.

4. Enter your Federation Service Name in Common Name (e.g., adfs.mydomain.com).

5. Select your Active Directory Certificate Authority. 6. Enter a “Friendly Name” for the Certificate (any identifier will do).

Note: If you didn’t use the IIS console to generate the certificate, make sure the certificate is bound to the IIS service in the servers where you’ll be installing ADFS before proceeding.

http://www.microsoft.com/download/en/details.aspx?id=10909


16

Step #2: Create a domain user account

ADFS servers require that you create a domain user account to run its services (no specific groups are required).

Step #3: Install your first ADFS server

1. Download ADFS 2.0 and run the installer. Make sure you run the installer as a Domain Admin – it will create SPNs and other containers in AD.

2. In Server Role, select Federation Server. 3. Check Start the ADFS 2.0 Management snap-in when this wizard closes at the end of

the Wizard. 4. In ADFS Management snap-in, click Create new Federation Service. 5. Select New Federation Server farm.

6. Select the Certificate you’ve created in the previous step. 7. Select the Domain user you’ve created in previous steps.

Step #4: Configure your relying party

In this step, you will tell ADFS the kind of SAML tokens that the system accepts.

Set up the trust relationship, as follows:

1. In ADFS 2.0 MMC, select Trust Relationships | Relying Party Trusts in the navigation

tree. 2. Choose Add Relying Party Trust and click Start. 3. In Select Data Source, select Import data about the relying party published online or on

a local area network and in the textbox below the selected option paste the metadata URL: https://authentication.logmeininc.com/saml/sp. Click Next.

4. Click OK to acknowledge that some metadata that AD FS 2.0 does not understand will be

skipped. 5. On the Specify Display Name page, type LogMeInTrust, and click Next. 6. On the Choose Issuance Authorization Rules screen, choose the Permit all users to

access this relying party unless another option is desired.

7. Step through the rest of the prompts to complete this side of the trust relationship.

Next, add 2 claim rules, as follows:

1. Click on the new endpoint entry, and click Edit Claim Rules on the right. 2. Select the Issuance Transform Rules tab and click Add Rule. 3. Select Send LDAP Attributes as Claims from the drop-down menu and click Next. Use the

following settings for the rule:

• Claim rule name - AD Email

• Attribute store - Active Directory

• LDAP Attribute - E-mail-Addresses

• Outgoing Claim Type - E-mail Address 4. Click Finish. 5. Click Add Rule again. 6. Select Transform an Incoming Claim from the drop-down menu and click Next. Use the

following settings for the rule:

• Claim rule name - Name ID

• Incoming claim type - E-Mail Address

• Outgoing claim type - Name ID

• Outgoing name ID Format - Email 7. Select Pass through all claim values. 8. Click Finish.



17

Complete the configuration, as follows:

• Right-click on the new relying party trust in the Relying Party Trusts folder and select Properties.

• In Advanced, select SHA-1 and click OK.

• To prevent ADFS from sending encrypted assertions by default, open a Windows Power Shell command prompt and run the following command:

set-ADFSRelyingPartyTrust –TargetName"<relyingPartyTrustDisplayName>" –

EncryptClaims $False

Step #5: Configure trust

The last configuration step is to accept the SAML tokens generated by your new AD FS service.

• Use the “Identity Provider” section in the Organization Center to add the needed details.

• For ADFS 2.0, select “Automatic” configuration and enter the following URL – replacing “server” with the externally accessible hostname of your ADFS server:

https://server/FederationMetadata/2007-06/FederationMetadata.xml

Step #6: Test single server configuration

At this point you should be able to test the configuration. You must create a DNS entry for the AD FS service identity, pointing to the AD FS server you’ve just configured, or a network load balancer if you’re

using one.

• To test Identity Provider-Initiated Sign-On, go to

https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx. You should see the relying party identifier in a combobox under “Sign in to one to the following sites”.

• To test Relying Party-Initiated Sign-on, go to the product login page for the product you wish to

sign into (such as www.gotomeeting.com) and on the sign in page, click the “Use my company ID” option. After entering your email address, you should be redirected to the ADFS server and be prompted to log in or be automatically logged in if Windows Integrated Auth is used.

Set Up Enterprise Sign-In using ADFS 3.0

Your organization can easily manage thousands of users and their product access while also delivering Single Sign-On (SSO). SSO ensures your users can access their LogMeIn products using the same identity provider as for their other enterprise applications and environments. These capabilities are called

Enterprise Sign-In.

This document covers configuration of your Active Directory Federation Services (ADFS) to support Single Sign-On authentication to LogMeIn products. Prior to implementing, however, be sure to read

more about Enterprise Sign-In and complete the initial setup steps.

ADFS 3.0 is an enhanced version of ADFS 2.0. It is a downloadable component for Windows Server 2012 R2. One large advantage of 3.0 is that Microsoft's Internet Information Services (IIS) Server is included in the deployment rather than a separate install. The enhancements vary the installation and configuration

somewhat compared to its predecessor.

This article covers how to install and configure ADFS, and to set ADFS up in a SAML trust relationship with Enterprise Sign-In. In this trust relationship, ADFS is the Identity Provider and LogMeIn is the Service Provider. On completion, LogMeIn will be able to use ADFS to authenticate users into products like GoToMeeting using the SAML assertions served by ADFS. Users will be able to initiate authentications

from the Service Provider side or the Identity Provider side.

https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx

http://www.microsoft.com/download/en/details.aspx?id=10909


18

Requirements

• A publicly trusted certificate to authenticate ADFS to its clients. The ADFS service name will be assumed from the subject name of the certificate so it's important that the subject name of the certificate be assigned accordingly.

• ADFS server will need to be a member of an Active Directory domain and a domain administrator account will be needed for the ADFS configuration.

• A DNS entry will be needed to resolve the ADFS hostname by its client

A complete and detailed list of the requirements can be reviewed in the Microsoft ADFS 3.0 overview.

Installation

1. Start the installation of ADFS 3.0 by selecting Administrative Tools | Server Manager | Add roles and features.

2. On the Select installation type page select, Role-based or feature-based installation and click Next.

3. On the Select destination server page, select the server on which to install the ADFS service and click Next.

4. On the Select server roles page, select Active Directory Federation Services and click Next.

5. On Select features, unless there are some additional features that you want to install, leave the defaults and click Next.

6. Review the information on the Active Directory Domain Services page and click Next. 7. Initiate the installation on the Confirm installation selections page.

Configuration

1. In your Notifications, you will have a notification alerting you that you have a Post-deployment Configuration… task remaining. Open it and click on the link to initiate the wizard.

2. In the Welcome page select Create the first federation server in a new federation server farm (unless there is an existing farm that you are adding this ADFS server too).

3. In the Connect to ADFS page, select the domain admin account to perform this

configuration. 4. In Specify Service Properties, specify the SSL Certificate created from the prerequisites.

Set the Federation Service Name and Federation Service Display Name. 5. In Specify Service Account, select the account that ADFS will use. 6. In the Specify Configuration Database select the database to use. 7. Review the information in Pre-requisite Checks and click configure.

Establish Trust Relationship

Each party (ADFS and LogMeIn) will need to be configured to trust the other party. Therefore, the trust relationship configuration is a two-step process.

Step #1: Configure ADFS to trust LogMeIn SAML

1. Open Administrative Tools | ADFS Management. 2. In ADFS Management, drop down the Action menu and select Add Relying Party Trust.

This will initiate the Add Relying Party Trust Wizard. 3. On the Select Data Source page of the wizard, select Import data about the relying party

published online or on a local area network and in the textbox below the selected option

paste the metadata URL:

https://authentication.logmeininc.com/saml/sp.

https://technet.microsoft.com/en-us/library/hh831502.aspx


19

4. Click Next.

5. Skip the Configure Multifactor Authentication Now? page. 6. On the Choose Issuance Authorization Rules screen, choose the Permit all users to

access this relying party unless another option is desired.

7. Step through the rest of the prompts to complete this side of the trust relationship. 8. You now add two claim rules. 9. Click on the new endpoint entry, and click Edit Claim Rules on the right.

10. Select the Issuance Transform Rules tab and click Add Rule. 11. Select Send LDAP Attributes as Claims from the drop-down menu and click Next.

12. Use the following settings for the rule:

• Claim rule name: AD Email.

• Attribute store: Active Directory.

• LDAP Attribute: E-mail-Addresses.

• Outgoing Claim Type: E-mail Address.

13. Click Finish, then click Add Rule again.

14. Select Transform an Incoming Claim from the drop-down menu and click Next. 15. Use the following settings:

• Claim rule name: Name ID.

• Incoming claim type: E-Mail Address.

• Outgoing claim type: Name ID.

• Outgoing name ID Format: Email.

• Select Pass through all claim values.

• Click Finish. 17. Right click on the new relying party trust in the Relying Party Trusts folder and select

Properties.

18. In Advanced, select SHA-1 and click OK.

19. To prevent ADFS from sending encrypted assertions by default, open a Windows Power Shell command prompt and run the following command:

set-ADFSRelyingPartyTrust –TargetName"<relyingPartyTrustDisplayName>" –

EncryptClaims $False

Step #2. Configure LogMeIn to trust ADFS

1. Navigate to the Organization Center and use the Identity Provider webform. 2. ADFS publishes its metadata to a standard URL by default:

https://<hostname>/federationmetadata/2007-

06/federationmetadata.xml.

a. If this URL is publicly available on the internet, then on the Identity Provider tab in the Organization Center, select the Automatic configuration option and paste the URL in the textbox. Click Save.

b. If the metadata URL is not publicly available, then collect the single-sign-on URL and

a certificate (for signature validation) from ADFS and submit them using the Manual configuration option in the Identity Provider tab in the Organization Center.

3. To collect the necessary items, do the following:

• To collect the single-sign-on service URL, open the ADFS Management window and select the Endpoints folder to display a list of the ADFS endpoints. Look for the SAML 2.0/WS-Federation type endpoint and collect the URL from its properties.


20

Alternatively, if you have access to the standard metadata URL, display the contents of the URL in a browser and look for the single-sign-on URL in the XML content.

• To collect the certificate for signature validation, open the ADFS Management Console and select the Certificates folder to display the certificates. Look for the Token-signing certificate, right click on it and select View Certificate. Select the Details tab, and then the Copy to File option. Using Certificate export wizard, select the Base-64 Encoded X.509 (.Cer). Assign a name to the file to complete the export

of the certificate into a file. 4. Input these fields into the Organization Center and click Save.

Test the configuration

To test Identity Provider-Initiated Sign-On, go to https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx

You should see the relying party identifier in a combobox under Sign in to one to the following sites.

To test Relying Party-Initiated Sign-on,go to the web login page for the LogMeIn product you wish to sign into (such as www.gotomeeting.com) and on the sign in page, click the Use my company ID option.

Enter your email address. You should be redirected to the ADFS server and be prompted to log in (or if Windows Integrated Auth is used, may even be automatically) after which, you will be sent directly into

your desired product.

Automated Provisioning Options

Provisioning is the process of creating user accounts and assigning and/or revoking access to products to those user accounts. Smaller companies use the Admin Center to manually provision users, but as the number of users increases, or if there are large shifts in product usage and/or users (due to acquisitions, turnover rates, changes in roles, etc.), it makes sense to use an automated provisioning method to facilitate these changes.

• Use the Active Directory Connector v2, our custom provisioning tool LogMeIn offers a custom tool designed for you to connect your Active Directory account with your LogMeIn account and then use it to automatically provision users and their product access. Learn more.

• Use a third-party Identity Provider that offers automated provisioning

Many third-party Identity and Access Management partners offer automated provisioning as part of their feature set. You can learn more about setting up automated provisioning for each of the following Identity Providers:

• Okta Cloud Connect

• Microsoft Azure

• Build a custom solution using APIs You can have your development team build a custom solution for your organization using the SCIM APIs and Administration REST APIs.

* SCIM (System for Cross-domain Identity Management) is a specification that lets you manage users within your domain organization entity.

If you have decided to use automated provisioning, you can learn how to get started.

https://www.okta.com/gotomeeting

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-citrixgotomeeting-provisioning-tutorial

https://goto-developer.logmeininc.com/implementing-scim-apis

https://goto-developer.logmeininc.com/administration-rest-api-implementation


21

Set Up Automated User and Product Provisioning

Provisioning is the process of creating user accounts and assigning and/or revoking access to products to those user accounts. Smaller companies use the Admin Center to manually provision users, but as the number of users increases, or if there are large shifts in product usage and/or users (due to acquisitions, turnover rates, changes in roles, etc.), it makes sense to use an automated provisioning method to

facilitate these changes.

Before you begin...

If you do not plan on setting up the Active Directory Connector v2 as your automated

provisioning method, you can skip to Step #3.

Step #1: Set up an organization (for ADC v2 only)

Create your organization by verifying at least 1 domain used by your company.

Step #2: Provision an organization admin with a RescueAssist admin role (for ADC v2 only)

Assign a RescueAssist admin role via the Admin Center to your current organization admin, or add a new organization admin and provision them with a product admin role. In order to proceed, you must have at least 1 organization admin who is also a product admin, and the domain of their email address must match at least 1 of the verified domain(s) that you set up in Step #1.

Step #3: Configure an automated provisioning option

Set up 1 of our automated provisioning options for creating and managing your users and their product access.

Step #4: View your users in the Admin Center

You're all set! Once automated provisioning is set up, your users will begin populating in the Admin Center. Each newly added user will receive a Welcome email that contains their email address and

a link that will allow them to create an account password to sign in to their RescueAssist account.

Active Directory Connector v2

Most large companies use Microsoft Active Directory (AD) to automate changes for user identities and application privileges. The Active Directory Connector (ADC) receives Active Directory user updates and automatically makes the same changes in your LogMeIn account. The ADC accesses all users in selected AD groups containing LogMeIn users and all users in any subgroups. All new users are added to

one of your validated company email domains in the Admin Center's SCIM* service.

* SCIM is the System for Cross-domain Identity Management that defines how user identities are

managed across multiple systems, generally over the Internet.

https://support.logmeininc.com/article/g2m500006#ProductsRoles


22

Steps for setting up the Active Directory Connector v2 and managing users via

User Sync:

1. Review the Active Directory Connector v2

2. Review the Active Directory Connector v2 requirements 3. Set up an organization 4. Install the ADC v2 5. Configure the ADC v2 6. Run the ADC v2 7. Manage custom attributes (optional) 8. Manage User Sync rules 9. Update the ADC v2 to the latest version (if applicable)

Active Directory Connector v2 Requirements

The Active Directory Connector (ADC) receives Active Directory user updates and automatically makes the same changes in your LogMeIn account. There are 4 areas of requirements to use the Active Directory Connector (ADC) effectively: Accounts, your Active Directory implementation, the Windows requirements for the ADC host machine, and your firewall settings. See all steps for setting up the Active

Directory Connector v2 and managing users via User Sync.

Account requirements

• A LogMeIn product account with at least 1 Organization admin who also has a LogMeIn product admin role

Active Directory requirements

• Windows account with the "Log on as a service" permission for the machine where ADC is installed. To enable this permission for your account, do the following:

1. Click the Windows Start menu. 2. Enter Local Security Policy. 3. Go to Local Policies > User Rights Assignment. 4. Right-click Log on as a service >Properties > Add User or Group.

5. Add the ADC Service User (e.g., DOMAIN\username). 6. Go to Check Names > OK > OK > Apply to save your changes.

• An Active Directory forest with Windows Server 2003 (or later) functionality.

System requirements

Operating System

• Windows Server 2008 SP 2 or later (not necessarily a domain controller

• Windows Vista SP 2 or later

Software • Microsoft® .NET Framework 4.5 update on the machine where the ADC will run (included in the ADC installer if needed)

Memory • 2 GB RAM or more recommended

Available Disk Space

• 200MB or more (depending on log level and storage period)

Display • Minimum 1680 X 1050

Internet Connection • Broadband internet connection with 1+ Mbps and ability for the ADC to connect

to https://goto-developer.logmeininc.com

https://goto-developer.logmeininc.com/


23

Firewall settings

Firewall settings should be configured as follows:

Use case <source server> <target server>:<port> Interface for provisioning <ADC Server

Name>

api.getgo.com:443

Interface for logging; <source server> <ADC Server Name> logging.getgo.com:443

Interface for authentication; <source server> <ADC Server Name> *.logmeininc.com:443

Interface for checking new version of ADC; <source server>

<ADC Server Name> s3.amazonaws.com:443

Insecure connections <ADC Server Name> Active Directory Domain Controller:389 (LDAP)

Secure connections <ADC Server Name> Active Directory Domain Controller:636 (LDAPS)

Global Catalog, Insecure connections <ADC Server Name> Active Directory Domain Controller:3268 (LDAP)

Global Catalog, Secure connections <ADC Server Name> Active Directory Domain Controller:3269 (LDAPS)

Install Active Directory Connector v2

The Active Directory Connector is a desktop application and uses a simple installation wizard. Because it is a Windows service with a user interface, you will need to enter an admin user's credentials to allow the UI to launch. The Active Directory Connector (ADC) receives Active Directory user updates and

automatically makes the same changes in your LogMeIn account.

If you already have the Active Directory Connector v2 installed and want to get the latest version, please

see Update the ADC.


24

Before you begin...

Be sure that you have reviewed the Active Directory Connector v2 Requirements before proceeding.

Install the ADC

1. Download the Active Directory Connector Setup folder and extract the files to a convenient location on the local drive.

2. From the extracted folder, launch the Active Directory Connector Setup.exe file and click Run to launch the Setup Wizard.

3. Click Next to start the installation. 4. Update or accept the location on disk for the installation, then click Next. 5. Click Next to install the application and click Yes to confirm. 6. When the Installation Complete dialog displays, click Close. The ADC folder is populated

with files. 7. Double-click ActiveDirectoryConnectorAdmin.exe to start the ADC. Click Yes to confirm,

and the Active Directory Connector Admin software will launch.

You can configure the optional steps below, or proceed to Configure the Active Directory

Connector v2 for next steps.

Configure a delayed start of the service (optional)

Note: These instructions only apply to users who have installed ADC (v2.1.0.372 or earlier).

To ensure the Active Directory Connector does not lose connection with your Active Directory

environment, configure a delayed start of the ADC service in Windows as follows:

1. Go to Services by clicking the Windows Start menu, then type Services and hit enter. 2. Right-click on the Active Directory Connector and select Properties.

• On the General tab, locate the "Startup type" section and use the drop-down menu to select Automatic (Delayed Start), then click Apply.

• On the Recovery tab, use the drop-down menu to select Restart the Service for the First failure, Second failure, and Subsequent failures options, then set the "Restart service after" time to 15 minutes (or more) and click Apply.

3. Click OK when the service settings for both tabs have been updated.

https://s3.amazonaws.com/logmein-adc-connector/live/integrations/active-directory-connector-2/ActiveDirectoryConnector.zip


25

Configure the Active Directory Connector v2

The Active Directory Connector (ADC) receives Active Directory user updates and automatically makes the same changes in your LogMeIn account. Setting up the ADC consists of adding permissions and

Active Directory groups, as well as configuring additional optional settings.

Set connections to ADC

To complete the steps below, you will need an admin account for Windows and a LogMeIn product admin account that is also an Organization Admin.

1. Locate the Active Directory Connector Admin application (default location is C:\Program Files\Logmein\Active Directory Connector) and double-click ActiveDirectoryConnectorAdmin.exe to start the ADC. If prompted by User Account Control, click Yes to confirm, and the Active Directory Connector software will launch.

2. In the "Active Directory permissions" section, click Link your Windows user account to the ADC serviceto establish permissions for the service on Windows.

3. Enter your Windows credentials in DOMAIN\username format (e.g., LOGMEIN\admin) and click OK. If you want to use a different Windows domain account for the Active Directory Connector service, click Change user, then fill in your desired DOMAIN\username credentials and click OK to confirm.

4. In the "LogMeIn permissions" section, log in with your LogMeIn admin account, which is required to also have an Organization Admin role. When prompted, click Allow to grant

access to your LogMeIn account for the Active Directory Connector. Why am I getting an

"Insufficient Permissions" error message? 5. Once logged in, the user for each account is displayed. Click Save at the bottom of the

window. Optionally, you can click Revert Changes to delete any modifications made since

the last Save.

Next, you will need to add your Active Directory groups using the steps below.


26

Add (or remove) Active Directory groups

You can add as many Active Directory groups as you need. Nested groups are added when you add the parent group.

1. Under Active Directory Groups, click Add. The Windows groups manager displays. 2. Type in a group name in the Enter the object names... box and click Check Names. This

verifies the group exists and is accessible. You can also use the Advanced option to locate

groups by query. 3. Click OK to add the group. Continue until you have added all required groups. 4. Select any group and click Remove to delete the group.

Note: When you remove a group, any users in that group remain in the system, but lose their product entitlements.

5. After each update, click Save at the bottom of the window. Optionally, click Revert Changes to delete any modifications made since the last Save.

Next, set your desired polling interval.

Set polling interval

Note: The default polling interval is 15 minutes.

1. In the "Options" section, enter the number of minutes you want the ADC to wait between polls.

2. After each update, click Save at the bottom of the window. Optionally, click Revert Changes to delete any modifications made since the last Save.

3. Click Check connections to verify your permissions after all of your changes have been

saved.

Next, you can choose to edit attribute mapping and manage your custom attributes, if desired. Otherwise, you can proceed to run the ADC.

Edit attribute mapping (optional)

User attributes are data fields in string format. The standard set that is available by default in the ADC are employeeNumber, costCenter, division, and department. These values can appear in LogMeIn Admin

reports if they are configured properly.

Note: The value(s) entered in these fields do not have to match the default designation of the attribute if you want to create custom

fields.

1. On the ADC, click Edit Mapping in the "Options" section. 2. Modify the attributes with your desired value(s), then click OK.

3. After each update, click Save at the bottom of the ADC window. Alternatively, click Revert Changes to delete any modifications made since the last save.

Next, you can proceed to run the ADC v2.


27

Why am I getting an "Insufficient Permissions" error message?

When you configure your Active Directory v2 settings, you will encounter an "Insufficient Permissions"

error message if the LogMeIn admin account you are using does not have an Organization Admin role.

Your LogMeIn account must have an admin role in the following 2 places:

1. In the Admin Center:

2. In the Organization Center:

https://support.logmeininc.com/article/g2m500007#Seats


28

To fix this, do 1 of the following:

• Sign in using an existing LogMeIn admin account that already has an Organization Admin role.

• Contact your LogMeIn account admin to request that your account be additionally provisioned with an Organization Admin role.

Once you have logged in with a LogMeIn account that has an Organization Admin role, you can proceed to Step #5 in the "Set Connections" section of Configuring the Active Directory Connector v2.

Run the Active Directory Connector v2

The Active Directory Connector (ADC) receives Active Directory user updates and automatically makes the same changes in your LogMeIn account. Once the ADC is configured with permissions and Active Directory groups, you can start the service. Starting the service launches the requests to the AD for any changes. For the first run this includes all groups and users within those groups. The ADC compares the AD data with the identity data in the SCIM* repository. Any new data in the AD is written into the SCIM

data. If you have User Sync set up, any product entitlement rules will be executed automatically.

* SCIM is the System for Cross-domain Identity Management that defines how user identities are managed across multiple systems, generally over the Internet.

Start the Active Directory Connector service

1. Once you have installed and configured the ADC, click Start to run the ADC service. If you

see a "Check Connections" option, be sure to verify the settings that you configured for the ADC.


29

2. The Service Status now displays a "Running" state, as well as the date and time when the service last ran. Once started, the ADC will continue to run until complete, then the service will stop and begin again based on the polling interval that you configured for the ADC.

Note: If you need to modify the configuration for any reason, click Stop to stop running the service before making changes. Once your settings are saved, you can click Start again.

3. While the ADC service is running, it will populate any new users and their assigned directory groups in the Admin Center's User Sync tab. In the User Sync tab, you will be required to

manually assign your desired products/tiers, roles, and priorities (i.e., Sync Rules) to each of your newly populated directory groups.

Next, if you had set up custom user attributes in the ADC, proceed to manage custom attributes.

Otherwise, proceed to manage your user sync rules.

Locate ADC log files in the Windows Event Viewer (optional)

1. Open the Windows Event Viewer (Start > All Programs > Administrative Tools > Event Viewer).

2. In the left navigation, select Applications and Services Logs > ADCLog. Only Active

Directory Connector logs will be displayed.

Manage Custom Attributes

User attributes are data fields in string format. A standard set of SCIM-based attributes for users – employeeNumber, costCenter, division, and department – are available from the Active Directory by default. These values are configured in the Active Directory Connector (ADC), and can be further customized in the Admin Center where they can then be mapped within User Sync for user info and

admin reporting.

Once you have run the ADC v2, you can manage your custom user attributes in the steps below.


30

Add custom fields in the Admin Center

You must create custom fields in the Admin Center in order to map the values you configured in the ADC to be displayed as an attribute within your user info and admin reporting. You can choose to add the 4 default user attribute field names (i.e., employeeNumber, costCenter, division, department) or create your own custom field names to match the values you entered in the ADC. For example, if all users within your Active Directory share the same manager, then you could add the manager's name to any 1 of the fields as a user attribute in the ADC, then create a custom field for "Manager" in the Admin Center so the

name can then be mapped to your custom field for all users.

Map custom attributes in User Sync

Once you have configured user attributes (and if desired, created your custom fields), you must map your

attributes in User Sync as follows:

1. Log in to the Admin Center at https://admin.logmeininc.com. 2. Go to User Sync > Add custom attributes tab.

3. Use the drop-down menu for each user directory attribute and map it to your desired value. 4. Click Save when finished.

5. If User Sync is not already running, toggle on the switch to enable the "User Sync is on" option.

Next, proceed to manage your user sync rules.

Manage User Sync Rules

Note: For users who are migrating from Active Directory Connector v1 to v2, you will need to have your User Status Report and/or

the screenshot you took of all of your user group assignments from the ADC v1 Provisioning tab in order to recreate your User Sync rules.

User Sync rules allow you to select an Active Directory group and add a rule about the products for which the users in this group will receive entitlements for, and what administrative privileges they will have. You may have multiple rules for a given directory group (also known as organization group), and a user may belong to more than 1 group in the Active Directory. If you have multiple rules, you can manage the

priority of the rules.

https://support.logmeininc.com/article/g2m500002#Custom

https://admin.logmeininc.com/

https://support.logmeininc.com/account-update-faqs/adc

https://support.logmeininc.com/article/g2m500018


31

Create your first rule

Click Create your first rule, then fill in the applicable fields for each section, as follows:

1. Log in to the Admin Center at https://admin.logmeininc.com. 2. Click Create your first rule. 3. In the "Select a group from your company directory" section, use the drop-down menu to

select your desired directory group for which this rule will apply. If desired, you can add notes about this directory group in the "Description" field.

Note: Directory groups are user groups in your Active Directory that are populated by running the ADC service.

4. In the "Products" section, check the box(es) to enable the product(s) to assign to these users within your selected directory group.

5. If this directory group will not have admin or manager privileges, move on to Step #6. If this directory group will receive admin or manager privileges, check the box to enable the "Administrator for this Account" option. Next, you can choose from the following options:

• Full access to all account privileges

• Managers for specified group(s) with limited privileges – This allows you to customize the limitations for this directory group. Choose from the following (if applicable):

• Privileges – Click the list of privileges hyperlink to open it, then check the box(es) to apply the following permissions: Add and Delete Users, Manage Seats, Manage Organizer Settings, Add and Delete Device Groups, Add and Delete User Groups, Create Reports.

• Groups: – Click None Selected, then select 1 or more user groups to apply.

6. In the "User Details" section, use the drop-down menu to select from the following:

• Click to select one of your customized Welcome Email templates. Once selected, you can optionally choose from Preview, Edit, or Delete.

• Click Create New Template to make a new one – if selected, you will continue to

remain on the same page and keep your changes thus far.

• Leave as-is to select the Default Welcome Email template, which you can click Preview to display its contents.

https://admin.logmeininc.com/


32

7. Next, select a default language for your directory group, which will display the following in language you select:

• Welcome Email

• All product Web App pages

• If applicable, the application that you download and/or install to host sessions

Note: An active user can change their own default language settings at any time.

8. Next, select a user group that you have created, or leave as-is to select No Group.

9. If your directory group is enabled to use the RescueAssist product and you want to assign device group(s), click None Selected to open a list, then check the box(es) of device group(s) that you want to apply to this directory group of users.

10. Lastly, use the drop-down menu to select a default settings template you have already created, or leave as-is to select Default. A settings template is a specific profile that you can

create that allows you to apply a set of default feature settings (per product within your account) to a directory group (e.g., disabling the ability to record GoToMeeting sessions for all organizers within a directory group).

11. Click Save if you are finished, or click Save & add another to save and move on to create

settings for your next directory group. 12. If you have more than 1 rule, you will need to prioritize them.


33


34


35

Manage Rule Priority

If you have multiple rules, you can click and drag on each rule in the "Re-order" column to adjust the prioritization of the order in which the rules apply. The rule with the highest ranking (i.e., lowest priority

rule number) takes precedence over subsequent rules, meaning Rule #1 takes priority over Rule #2.

If you have users that exist in 1 or more directory groups, all assignments contained within the rule with the highest priority ranking will be used in favor of the same assignments contained in lower priority

rule(s). Here are some examples:

• A user is in 2 directory groups with 2 rules assigned: Rule #1 is assigned User Group A and Rule #2 is assigned User Group B. Since only 1 user group can be assigned to a user, they will be assigned to User Group A from Rule #1 as it is ranked highest in priority.

• A user is in 2 directory groups with 2 rules assigned: Rule #1 is assigned Device Group A and Rule #2 is assigned Device Group B. Since you can have multiple device groups assigned to a user, the user will be assigned both Device Group A and Device Group B.

Note: Device group assignment is only applicable to accounts provisioned with RescueAssist.

• A user is in 3 directory groups with 3 rules assigned: Rule #1 is assigned GoToMeeting Pro, Rule #2 is assigned GoToMeeting Plus, and Rule #3 is assigned RescueAssist. The user will be assigned GoToMeeting Pro (due to higher ranked priority of the rule) and RescueAssist.

Note: For rules that contain more than 1 product tier (e.g., GoToMeeting Pro and GoToMeeting Plus), the rule with the highest priority ranking will be assigned, even if it is a lower-tiered product.

Enable and run User Sync

Once you have set up your rules and their prioritization, then you are ready to run User Sync as follows:

1. Toggle the switch on to enable the "User Sync is on" option. 2. If desired, you can click Activity History in the left menu to monitor admin activities.

Modify an existing rule

1. Click Edit on the rule you want to modify, then make changes to any of the value(s). 2. Click Save when finished, or to keep creating more rules, click Save & add another.

Delete an existing rule

Users within directory groups are never deleted. If all applicable rules for a user are deleted, the user becomes in a state of "suspended" which retains their account and product-related data (e.g., upcoming meetings, stored recordings, etc.). Only the settings within the rule are removed from use while the users

will continue remain on your account.

• Click the Delete icon to remove a rule, then click Yes, delete to confirm.

Congratulations! You have completed all of the steps for setting up the Active Directory Connector v2. You can also learn more about updating the ADC v2 to the latest version when new

versions become available.

Update the Active Directory Connector

The Active Directory Connector (ADC) receives Active Directory user updates and automatically makes the same changes in your LogMeIn account. Depending on whether you are updating the ADC from v1 or

you have ADC v2 installed and are updating to the latest version, the instructions below will vary.


36

ANNOUNCEMENT: As of January 31, 2019, Active Directory Connector v1 will no longer work. It is required that all users of ADC v1 update to the latest version of ADC v2 before this date. For detailed migration instructions, please see How Do I Update My

Active Directory Connector?

Update from ADC v1 to ADC v2

WARNING! If you are migrating from ADC v1 to ADC v2, it is absolutely necessary that you capture your existing user

configuration rules for all of your user groups before uninstalling ADC v1. To obtain the most detailed information about each user groups' configuration settings, we highly recommend that you run a User Status report in the Admin Center. For detailed migration

steps, please see How Do I Update My Active Directory Connector?

To update from Active Directory Connector v1 to the Active Directory Connector v2, do the following:

1. Run a User Status report in the Admin Center and save it. 2. Uninstall your current version of ADC v1. This is required. 3. Once uninstalled, open your Windows Registry Editor (regedit.exe) and confirm if you can

navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ADCv2. If this registry location

exists, delete all registry keys within this location, then close the Registry Editor. 4. Download and unzip the ActiveDirectoryConnector.zip file, which contains the

ADCSSetup.msi and setup.exe files. 5. Run the Active Directory Connector Setup.exe file. 6. If prompted by User Account Control, click Yes to continue. 7. When the installer launches, click Next > Finish to complete the upgrade.

8. You can now configure the ADC.






37

Update your existing ADC v2 to the latest version

You can choose to enable automatic updates to allow the ADC service to install the newest versions as they become available. Additionally, you can initiate an automatic update, or choose to

manually install ADC updates at your convenience.

To enable automatic updates, do the following:

Check the box to enable the "Automatically install new versions of the Active Directory Connector" option, then click Save. Once this option is enabled, the ADC initiates new updates as they

become available by stopping the service, upgrading to the latest version, then restarting the

service automatically without requiring user action.

To initiate an automatic update, do the following:

Click Update to <version> in the lower left corner to begin installing the latest version, which will stop the service, exit the application, install the update, then relaunch the application and restart

the service automatically.

Not seeing this option?

If you don't see the Update to <version> hyperlink in the lower left corner, it means 1 of the

following:

• You already have the latest version of ADC v2 installed.

• You are running an older build of the ADC v2 software (ADC v2.1.0.356 or earlier) that did not include this feature, and you can update manually to the latest version using the steps below.

To update manually, do the following:

1. Click Stop to stop the service.

2. Exit the application. 3. Install the latest version (for detailed steps, see Install Active Directory Connector v2). 4. Once the installation is complete, click Change user in the "LogMeIn permissions" section,

then sign in once again with your LogMeIn admin account (with Organization Admin role enabled), and click Allow to grant access to the service. This is required.

If you choose to uninstall your current version first, you will be required to log in with the Windows user

and LogMeIn account admin (with Organization Admin role enabled) account credentials after installation.

Uninstall the Active Directory Connector

To upgrade from an earlier version of Active Directory Connector or to reinstall the current version, you must first uninstall your current version. If you choose to keep the original ADC files on your server prior to uninstalling, rename the directory to Active Directory Connector v1, where v1 is the product version number. Please note that uninstalling the ADC will not remove your existing users and accounts (as they will continue to exist in the Admin Center), however, you will need to re-create your rules and priorities

again for each directory group.

WARNING! If you are migrating from ADC v1 to ADC v2, it is absolutely necessary that you capture your existing user

configuration rules for all of your user groups before uninstalling ADC v1. To obtain the most detailed information about each user

groups' configuration settings, we highly recommend that you run a User Status report in the Admin Center. For detailed migration steps, please see How Do I Update My Active Directory Connector?

Before you proceed, please note that the process for uninstalling an application from your computer

varies by operating system. See your operating system's manual for more information.




38

You can uninstall your current version of the Active Directory Connector as follows:

1. If the Active Directory Connector is running, click Stop to shut down the service, then close

the application. 2. On the Windows server where the ADC is installed, go the Control Panel > Programs and

Features.

3. Locate "Active Directory Connector "in the list of programs, right-click the program and select Uninstall.

4. Click Yes to confirm, then click Yes again in the User Account Control dialog, if prompted. 5. You have now uninstalled the ADC. If desired, you can install the latest version.

Documents

RescueAssist · using the Active Directory Connector (Step #4) and/or Enterprise Sign-In (SSO). Set Up Domains in the Organization Center The first step you take in creating an organization