Set up federated login for LastPass using AD FS
LastPass Business account administrators can set up and configure Active Directory Federation Services (AD FS) so that users can utilize their organization's Active Directory account to log in to LastPass without ever having to create a second Master Password.
Note: By default, we recommend using a company-wide key for all users, which is outlined in our Set up simplified federated login for LastPass using AD FS setup instructions. The steps summarized in this article demands advanced expertise in configuring Active Directory, and also will require a change to your Active Directory Schema. To avoid unexpected configuration outcomes, we strongly advise that you follow the steps outlined in our Simplified AD FS setup instructions. If you still want to proceed and set up a unique key for each of your users, please follow the instructions below.
Before you begin implementation...
- Review the limitations that apply to federated user accounts.
Restriction: LastPass directory integrations have limitations, including the use of different directory instances and/or multi-domain & multi-forest configurations. Learn more about federated login limitations.
- It is highly recommended that you create a non-production Active Directory environment with Federation Services so that you can familiarize yourself with AD FS for LastPass Business.
- Your test environment should also include a non-production version of the components in Step #1 (including creating a separate LastPass Business trial account for testing). Please follow all of the setup steps below using your non-production LastPass Business account with your test environment first to avoid any unintentional user account data loss.
- It is also highly recommended that in a live environment you implement Multifactor Authentication for your users, however, please be aware of the following:
Note: Federated login users are granted an automatic increase of 10% on their security score since multifactor authentication must be set up at the Identity Provider level (within AD FS, Azure AD, Okta, PingOne, PingFederate, Google Workspace, or OneLogin settings) and not at the LastPass level (within the Multifactor Options tab in the Account Settings of their vault).
- You must set up Multifactor Authentication at the Identity Provider level (AD FS), and not at the LastPass level (via the Admin Console and/or end user Account Settings). Using Multifactor Authentication within LastPass is not supported for federated users, and will result in those users being unable to access their vault.
- You cannot enforce Multifactor Authentication policies in the LastPass Admin Console because this authentication will occur outside of LastPass, between your Identity Provider (AD FS) and your authentication service. For this reason, we recommend enforcing Multifactor Authentication policies in AD FS.
- By default, we recommend using a company-wide key for all users, which is outlined in our Set up simplified federated login for LastPass using AD FS. The instructions outlined in this article will require a change to your Active Directory Schema. If you still want to set up a unique key for each of your users, please follow the instructions outlined within this article.
- Step #1: Ensure the required components checklist is complete in LastPass
- Step #2: Capture your Identity Provider URL and Identity Provider Public Key in LastPass
- Step #3: Configure your LastPass Business federated login settings in LastPass
- Step #4: Install the LastPass Active Directory Connector in LastPass
- Step #5: Register your custom attribute with LastPass
- Step #6: Apply access control policy changes in LastPass
In this section: