product icon

SCIM Provisioning FAQs for LastPass Business Using OneLogin

    Please review frequently asked questions and troubleshooting topics below.

    Which provisioning features are supported by LastPass?

    LastPass supports the following provisioning features:
    • Create Users
    • Update User Attributes
    • Deactivate Users

    Do groups in OneLogin sync to the LastPass Admin Console?

    Yes. You can assign LastPass provisioning to specific groups in the OneLogin dashboard, and groups themselves are synced from OneLogin to LastPass.

    Can I assign more than one group to LastPass in OneLogin?

    Yes, you can assign as many custom groups to LastPass in the OneLogin dashboard as needed.

    If I update a group in OneLogin, are the changes reflected in LastPass?

    If you add or remove users to a group in OneLogin, the change will be reflected in LastPass and an account will be provisioned or deprovisioned as needed.

    Can users log in to LastPass with their OneLogin password?

    No. Users must create a separate LastPass master password when they receive their account invitation. The master password is used to form the encryption key to their LastPass vault, and is never shared with LastPass (or OneLogin).

    Can I choose to have users added to the Pending Approval tab in the Admin Console?

    No, users are automatically provisioned and will appear as live users.

    How can I test that the integration is syncing correctly?

    When first deploying LastPass Business with OneLogin, you can set up a small test group in OneLogin. Once you’ve confirmed that provisioning is working as expected, you can test adding and removing people in the test group. Once all testing is successful, you can then assign LastPass to all groups, or the specific groups that will be using LastPass.

    About the Don't send welcome email policy

    Users who are created via automated provisioning using directory integrations (i.e., SCIM provisioning or federated login) are automatically sent an activation code via email, which is required for finishing the account setup process. For this reason, the Don't send welcome email policy does not affect users created via automated provisioning.