How do I migrate users from one federated login Identity Provider to another?

LastPass admins who have set up federated login for LastPass using AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin can migrate their federated login users from their existing Identity Provider to another supported provider.

Step #1: Manually defederate your existing users

To defederate your existing users, LastPass admins that are enabled with the "Permit super admins to reset master passwords" policy must manually reset each federated login user's master password. This converts the federated user to a non-federated user. Learn about the policy and how to manually change master passwords for users.

Step #2: Disable the provisioning service in LastPass

To turn off the provisioning service between your existing Identity Provider and LastPass, admins can do the following:

Log in with your email address and master password to access the Admin Console at https://admin.lastpass.com/.
Go to Users > Federated login.
Select the tab of your existing Identity Provider, which will be one of the following:
- Active Directory Federated Services (AD FS)
- Azure AD
- Okta
- Google Workspace
- OneLogin
- PingOne
- PingFederate
Uncheck the box for the Enabled setting.
Click Save Settings.

Step #3: Set up your new Identity Provider service

Follow the instructions available to set up your new Identity Provider service. Here are some resources to help you get started:

Before enabling the new provisioning service, you must make sure that all existing LastPass users are assigned to the LastPass application in your new Identity Provider service, otherwise any unassigned users will be changed to a "disabled" status.

Important: Make sure that your user's existing primary email address configuration matches both the old and new Identity Provider service configuration to avoid creating duplicate accounts.

For more information about checking your users' configuration in the new domain, view If I change my company's domain, how do I make sure my LastPass users are updated?

Step #4: Set up federated login for LastPass using your new Identity Provider

Follow the instructions to set up federated login for LastPass with your new Identity Provider service from the list below.

Restriction: LastPass directory integrations have limitations, including the use of different directory instances and/or multi-domain & multi-forest configurations. Learn more about federated login limitations.

Set Up Simplified Federated Login for LastPass using AD FS – Uses a company key (recommended)
Set Up Federated Login for LastPass using AD FS – Requires changing your Active Directory Schema
Set Up Federated Login for LastPass Using Azure Active Directory
Set Up Federated Login for LastPass Using Okta With an Authorization Server (Option #1) – Using SCIM as the Identity Provider and directory provider
Set Up Federated Login for LastPass Using Okta With an Authorization Server(Option #2 - Hybrid) – Using Okta SSO as the Identity Provider and Active Directory as the directory provider
Set Up Federated Login for LastPass using Google Workspace
Set Up Federated Login for LastPass Using OneLogin
Set Up Federated Login for LastPass using PingOne
Set Up Federated Login for LastPass using PingFederate

Step #5: Convert users to federated login users

Once you have set up federated login for LastPass with your new Identity Provider service, you can convert your LastPass users to federated login users that utilize your new Identity Provider.

Important: Before a user can be re-federated, they must log in using their new master password.

You're all set!

Your LastPass users are now converted and can log in to LastPass via federated login using your new Identity Provider service.