product icon

Set Up Federated Login for LastPass Using Okta SSO and Active Directory

    Option #2 (hybrid configuration)

    LastPass Business account admins can set up and configure federated login using Okta in a few different ways so that users can log in to LastPass without ever having to create a second Master Password. Once Okta federated login is set up, LastPass Business users can log in to LastPass using their Okta account (instead of a username and separate master password) to access their LastPass vault.

    Federated login using Okta can be set up in the following ways:

    Option Identity Provider Directory Provider Authorization Server Account requirements

    Option #1 (standard configuration, without an authorization server)

    For more information, see Set Up Federated Login for LastPass Using Okta Without an Authorization Server.

    Okta SCIM

    Okta SCIM

    		All of the following:
    • Okta Single Sign-On
    • Okta Lifecycle Management
    • An active trial or paid LastPass Business account
    • An active LastPass Business admin (required when activating your trial or paid subscription)

    Option #2 (hybrid configuration)

    For more information, see instructions below.

    Okta SSO

    Active Directory

    		All of the following:
    • Okta Single Sign-On
    • Active Directory
    • An active trial or paid LastPass Business account
    • An active LastPass Business admin (required when activating your trial or paid account)

    Option #3 (standard configuration, with an authorization server)

    For more information, see Set Up Federated Login for LastPass Using Okta With an Authorization Server.

    Okta SCIM

    Okta SCIM

    		All of the following:
    • Okta Single Sign-On
    • Okta Lifecycle Management
    • API Access Management
    • An active trial or paid LastPass Business account
    • An active LastPass Business admin (required when activating your trial or paid subscription)
    Note: If you have not started a LastPass Business trial, contact our Sales team at lastpass.com/contact-sales for more information.

    This guide provides setup instructions for using LastPass with Okta SSO (single sign-on) as your Identity Provider (IdP) and Active Directory as your directory provider. This type of setup may be referred to as a “hybrid” configuration (Option #2).

    Before you begin

    Before you begin the setup process between the LastPass Admin Console and the Okta Admin portal, review the following important information that applies to federated users:

    Note: Firefox version 103 or newer does not support Okta PKCE Federated Login.
    Restriction: LastPass does not support the use of multiple domains for directory integrations and federated login, including the use of different directory instances and/or multi-domain & multi-forest configurations. Learn more about federated login limitations.

    You are now ready to follow the step-by-step instructions indicated at the bottom of the page to set up federated login using Okta SSO as your Identity Provider and Active Directory as your directory provider.

      In this section:

    1. Step #1: Create a Single-Page Application for LastPass to Enable Login with Okta
    2. Step #2: Enable the Authorization Code Grant Type
    3. Step #3: Add a Company-Wide Key as a Group Claim
    4. Step #4: Enable CORS for LastPass
    5. Step #5: Set Up Okta Federated Login in LastPass with PKCE Flow
    6. Step #6: Provision Users to LastPass Using the LastPass AD Connector
    7. Step #7: Assign the User to the Single-Page Application