SCIM Provisioning FAQs for LastPass Business Using Okta
Please review frequently asked questions and troubleshooting topics below.
Please be aware of the following:
- The “Push Groups” feature is supported in the LastPass Sync application.
- Username updates are not supported by LastPass. Updating the user’s username in Okta will initiate a creation of a new user with the new, updated username in the LastPass new Admin Console.
- It is strongly recommended that you have at least one LastPass admin that is enabled with the “Permit super admins to reset Master Passwords” policy.
Do groups in Okta sync to the LastPass Admin Console?
Yes. You can assign LastPass provisioning to specific groups in the Okta dashboard, and groups themselves are synced from Okta to LastPass.
Can I assign more than one group to LastPass?
Yes, you can assign as many custom groups to LastPass in the Okta dashboard as needed.
If I update a group in Okta, are the changes reflected in LastPass?
If you add or remove users to a group in Okta, the change will be reflected in LastPass and an account will be provisioned or deprovisioned as needed.
Can users log in to LastPass with their Okta password with these instructions?
Not with these instructions – following the instructions in the Okta SCIM Integration Guide still requires users to create a separate LastPass master password when they receive their account invitation.
However, federated login using Okta is supported, which allows users to log in to LastPass using their Okta account – no separate master password required! For those setup instructions, see Set Up Federated Login for LastPass Using Okta With an Authorization Server.
Can I choose to have users added to the Pending Approval tab in the Admin Console?
No, users are automatically provisioned and will appear as live users.
How can I test that the integration is syncing correctly?
When first deploying LastPass Business with Okta, you can set up a small test group in Okta. Once you’ve confirmed that provisioning is working as expected, you can test adding and removing people in the test group. Once all testing is successful, you can then assign LastPass to all groups, or the specific groups that will be using LastPass.
About the Don't send welcome email policy
Users who are created via automated provisioning using directory integrations (i.e., SCIM provisioning or federated login) are automatically sent an activation code via email, which is required for finishing the account setup process. For this reason, the Don't send welcome email policy does not affect users created via automated provisioning.