Known issues and additional troubleshooting for Federated Login for Active Directory Federation Services (AD FS)

Blank screen after logging in as a federated user

Review possible cause(s) and resolutions below.

Table 1.
Possible Cause(s)	How to Fix
The AD FS service user does not have CONTROL ACCESS permissions	Follow these instructions from Step #3
In an AD FS farm environment, the AD FS plugin DLLs were not copied to the secondary and subsequent AD FS nodes	Follow these instructions from Step #6
Email address is not set as an AD attribute	Set an email address as an AD attribute
Custom attribute is not configured or present	Learn how to configure from Step #5 Learn how to populate from Step #6

Custom attribute is empty

Review possible cause(s) and resolutions below.

Table 2.
Possible Cause(s)	How to Fix
The LastPass AD Connector was not restarted after federated login became enabled in the LastPass Admin Console	Restart the LastPass AD Connector service to provision federated users
There is a custom attribute name mismatch between the LastPass Admin Console and the AD FS plugin	Follow these instructions
Federated login was not enabled in the LastPass Admin Console at the time when provisioning occurred via the LastPass AD Connector	Stop the LastPass AD Connector service. Log in and access the Admin Console at https://admin.lastpass.com/ Go to Users > Users and delete all the users that were provisioned as federated users. Go to Users > Federated login Check the box for the Enable setting. Restart the LastPass AD Connector service to provision federated users.

"Contact the LastPass administrator at your organization for help" after logging in as a federated user

About this task:

How to fix this: Disable multifactor authentication options and policies at the LastPass level.

Windows Event Log Errors

About this task:

Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0017: Attribute store 'LastPassAttributeStore' is not configured.

How to fix this:

Restart the AD FS Windows service on the AD FS server to load the LastPass AD FS plugin properly.
For an AD FS server farm environment, check the AD FS server farm configuration from Step #7.

Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust ' https://accounts.lastpass.com/ ' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.

How to fix this:

Check that the AD FS plugin has been installed from Step #4 and configured correctly from Step #5.
For an AD FS server farm environment, check the AD FS server farm configuration from Step #7.

Microsoft.IdentityServer.Web.InvalidScopeException: Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity DOMAIN\USERNAME for relying party trust ' https://accounts.lastpass.com/ '

How to fix this:

Check the user's Relying Party Trust and Issuance Authorization Rules (Windows Server 2012) or Access Control Policy (Windows Server 2016) on the AD FS server.
1. Log in to your primary Active Directory Federation Services (AD FS) server
2. Navigate to your AD FS Management Settings.
3. Go to Trust Relationships > Relying Party Trust in the left navigation, then follow the next steps based on your AD FS server version:
  - AD FS Server 3.0 – Windows Server 2012 R2
    1. In the "LastPass Trust" section in the right navigation, click Edit Claim Rules....
    2. Select the Issuance Authorization Rules tab and set your desired rule.
  - AD FS Server – 4.0 Windows Server 2016
    1. In the "LastPass Trust" section in the right navigation, click Edit Access Control Policy....
    2. Set your desired policy.

SAML processing error codes

About this task: The table below contains the SAML Processing error codes and the possible causes. The possible solutions are listed in Table 4.

Table 3. SAML Processing error codes
Status	Name	Description	Possible cause(s)
5	SecurityTokenNotYetValid	The SAML response is not yet valid according to ALP server time.	The ADFS server time settings are incorrect.
6	SecurityTokenExpired	The SAML response is expired.	The ADFS server time settings are wrong. The client browser cached a SAML response and tries to use it later.
9	SignatureVerificationKeyMismatch	The SAML response is signed with a different certificate than the certificate on the Federated Login page in the LastPass Admin Console.	The SAML response is signed with a different Token-signing certificate than the certificate on the Federated Login. You have an ADFS farm environment, and the nodes does not have the same Token-signing certificate configured.
13	MissingEmailClaim	The email assertion is not present in the SAML response or the email address is not valid (for example, missing @).	The Relying Party Trust configuration is invalid. The AD user has an invalid email address.
19	InvalidRequest	Invalid SAML request	SAML response is only partial or is completely missing.
21	ReplayedToken	The incoming SAML response was already sent to LastPass.
22	MissingLastPassSecret	LastPassKeyPart or LastPassKeyPartSignature assertion is not present in the SAML response.	AD Custom Attribute was not created. Users Custom Attribute is empty. ADFS service account does not have permission to read the Custom Attribute. The Relying Party Trust is invalid or misconfigured The ADFS plugin was removed, not installed or a wrong version was installed.
23	MissingDirectoryUserName	The DirectoryUserName (AD username) assertion is not present in the SAML response.	The Relying Party Trust configuration is invalid.
26	MissingAlpSecret	The K2 secret is not present for this user in the ALP database.	The LP workers have not yet processed the background job for this user provision.

Table 4. SAML Processing error codes possible solutions
Status	Name	Possible solutions
5	SecurityTokenNotYetValid	Set the server time to the actual time, using the built-in NTP functionality if desired.
6	SecurityTokenExpired	Set the server time to the actual time, using the built-in NTP functionality if desired. Clear browser cache and cookies for the ADFS server host.
9	SignatureVerificationKeyMismatch	Get the public key of the actual Token-signing certificate of the ADFS server and update the public key on the Federated Login page in the Admin Console. Update the ADFS nodes to have the same Token-signing certificate, and update the public key on the Federated Login page in the Admin Console.
13	MissingEmailClaim	Check if Relying Party configuration is valid and fix it if necessary. Re-install the ADFS plugin. Check the email address with the Active Directory Users and Computers.
19	InvalidRequest	Check the request sent to https://accounts.lastpass.com/auth/saml2/<IdP-GUID> URL with the browser's developer tools/network traffic. Attach the request body to the ADFS server event log and send it to support.
21	ReplayedToken	Login again using the extension, and check again. If the issue still persist, report it ot the support team.
22	MissingLastPassSecret	Check if the attribute is present. Check if the user's Custom Attribute is empty. Refer to AD Connector log if the account was provisioned correctly. Check if the ADFS service account has the required permission to read the Custom Attribute. Set the permissions correctly. Check the configuration and reinstall ADFS plugin if necessary. Re-install the correct version.
23	MissingDirectoryUserName	Check if the RP configuration is valid and fix it if necessary. Re-install the ADFS plugin.
26	MissingAlpSecret	Wait a few minutes until the background job is processed. The background job might be stucked. Contact the LastPass support team. Since a missing part from the secret renders the account unusable, delete the account from the LastPass website, so the AD Connector can try to provision that account again.