HELP FILE

How do I migrate users from one federated login Identity Provider to another?

    LastPass admins who have set up federated login for LastPass using AD FS, Azure AD, Okta, Google Workspace, PingOne, or PingFederate can migrate their federated login users from their existing Identity Provider to another supported provider.

    Step #1: Manually defederate your existing users

    To defederate your existing users, LastPass admins that are enabled with the "Permit super admins to reset master passwords" policy must manually reset each federated login user's master password. This converts the federated user to a non-federated user. Learn about the policy and how to manually change master passwords for users.

    Step #2: Disable the provisioning service in LastPass

    To turn off the provisioning service between your existing Identity Provider and LastPass, admins can do the following:

    1. Log in with your email address and master password to access the Admin Console at https://lastpass.com/company/#!/dashboard.
    2. In the left navigation, go to Settings > Federated login.
    3. Log in with your email address and master password to access the Admin Console at https://admin.lastpass.com/.
    4. Go to Users > Federated login.
    5. Select the tab of your existing Identity Provider, which will be one of the following:
      • Active Directory Federated Services (AD FS)
      • Azure AD
      • Okta
      • Google Workspace
      • PingOne
      • PingFederate
    6. Uncheck the box for the Enabled setting.
    7. Click Save Settings.

    Step #3: Set up your new Identity Provider service

    Follow the instructions available to set up your new Identity Provider service. Here are some resources to help you get started:

    Before enabling the new provisioning service, you must make sure that all existing LastPass users are assigned to the LastPass application in your new Identity Provider service, otherwise any unassigned users will be changed to a "disabled" status.

    Step #4: Set up federated login for LastPass using your new Identity Provider

    Follow the instructions to set up federated login for LastPass with your new Identity Provider service:

    Step #5: Convert users to federated login users

    Once you have set up federated login for LastPass with your new Identity Provider service, you can convert your LastPass users to federated login users that utilize your new Identity Provider.

    You're all set!

    Your LastPass users are now converted and can log in to LastPass via federated login using your new Identity Provider service.