HELP FILE

Set Up Federated Login for LastPass using PingFederate

    LastPass Business account administrators can set up and configure PingFederate so that users can utilize their organization's Active Directory account to log in to LastPass without ever having to create a second master password.

    Federated Login with PingFederate selected in the new Admin Console

    System Requirements

    To use PingFederate with LastPass, the following is required:

    • PingFederate 10.3 or PingFederate 11.0
    • An active PingFederate account
    • An active trial or paid LastPass Business account
      • At least one (1) admin account enabled
      • A user license count that matches (or exceeds) the user count that will be synced with your Active Directory (both non-production and live environments)
        Tip:  If you are testing in your non-production environment, it is recommended to set up a separate LastPass Business test account, which you can register for here.
    • An active LastPass Business admin (required when activating your trial or paid account)
      Note: If you have not started a LastPass Business trial, contact our Sales team at lastpass.com/contact-sales for more information.
    • Active Directory server environments (both non-production and live) that meet the following requirements:
      • Active Directory should be the System of Record for users and groups that are synced to LastPass using LastPass Active Directory Connector
      • Both environments are set up and configured to use PingFederate 10.3 or PingFederate 11.0.
      • Your firewall settings are configured to reach https://www.lastpass.com and its subdomains and you confirmed they are not blocked by any firewall rule on all of your PingFederate servers.
    • It is required that you enable the “Permit super admins to reset master passwords” policy for at least one LastPass admin who is also a non-federated admin, in the LastPass new Admin Console. This ensures that all LastPass user accounts can still be recovered via master password reset, if a critical setting is misconfigured or changed for federated login after setup is complete.
    • It is helpful to open a text editor application so that you can copy and paste values that will be used between your LastPass new Admin Console and PingFederate.

    Before you begin

    • Review the limitations that apply to federated user accounts.
      Restriction: LastPass does not support the use of multiple domains for directory integrations and federated login.
    • It is highly recommended that you create a non-production Active Directory environment so that you can familiarize yourself with PingFederate for LastPass Business.
      • Your test environment should also include a non-production version of the components in Step #1 (including creating a separate LastPass Business trial account for testing). Please follow all of the setup steps below using your non-production LastPass Business account with your test environment first to avoid any unintentional user account data loss.
    • It is also highly recommended that in a live environment you implement Multifactor Authentication for your users, however, please be aware of the following:
      • You must set up Multifactor Authentication at the Identity Provider level (PingFederate), and not at the LastPass level (via the Admin Console and/or end user Account Settings). Using Multifactor Authentication within LastPass is not supported for federated users, and will result in those users being unable to access their vault.
      • You cannot enforce Multifactor Authentication policies in the LastPass Admin Console because this authentication will occur outside of LastPass, between your Identity Provider (PingFederate) and your authentication service. For this reason, we recommend enforcing Multifactor Authentication policies in PingFederate.
    Note: Federated login users are granted an automatic increase of 10% on their security score since multifactor authentication must be set up at the Identity Provider level (within AD FS, Azure AD, Okta, PingOne, PingFederate, Google Workspace, or OneLogin settings) and not at the LastPass level (within the Multifactor Options tab in the Account Settings of their vault).

    Part #1: Follow the related instructions

    Follow the instructions to set up federated login for LastPass using PingFederate starting with Step #1: Capture your Identity Provider URL and Identity Provider Public Key and ending with Step #5: Create a new Service Provider (SP) Connection.

    Part #2: Set up multifactor authentication for PingFederate (optional)

    If desired, you can set up multifactor authentication at the PingFederate (Identity Provider) level described in the official PingFederate documentation.

    Setup is complete!

    You have successfully set up your LastPass Business account to use Active Directory with PingFederate.