product icon

Step #1: Ensure the required components checklist is complete in LastPass

    Before you can begin using Active Directory Federation Services (AD FS) with LastPass Business, you must already have the items listed below set up (for both non-production and live environments).

    Account requirements

    • An active LastPass Business account that includes:
      • At least one admin account enabled
      • A user license count that matches (or exceeds) the user count that will be synced with your Active Directory (both non-production and live environments)
        Note:  If you are testing in your non-production environment, it is recommended to set up a separate LastPass Business test account, which you can register for here.
    • Active Directory server environments (both non-production and live) that meet the following requirements:
      • Both environments are set up and configured to use Federation Services (AD FS 3.0 for Windows Server 2012 R2 or AD FS 4.0 for either Windows Server 2016 or Windows Server 2019 or Windows Server 2022) with the latest updates installed, including .Net Framework.
      • You have created a custom attribute field (or re-purposed an existing attribute that was available to customize) and it has been set as CONFIDENTIAL (which allows you to set the read permissions only for privileged admins) and confirmed that it is listed in both your non-production and live Active Directory environments. The custom attribute's attributeSyntax must be 2.5.5.4 = ( NOCASE_STRING ) for a successful configuration.

        Note: The name of the custom attribute must be alphanumeric characters only (no special characters or spaces). It is also case-sensitive, and should be recorded exactly as it appears in the Active Directory Attribute Editor.

      • Your firewall settings are configured to reach https://www.lastpass.com and its subdomains and you confirmed they are not blocked by any firewall rule on all of your AD FS servers.
      • The AD user that runs the AD FS service (AD FS calls into the Custom Attribute Store, which reads the K1 at the time of the login) – must have "CONTROL ACCESS" permissions
    • The "Permit super admins to reset master passwords" policy enabled
      • It is required that you enabled the "Permit super admins to reset master passwords" policy for at least one LastPass admin (who is also non-federated admin) in the LastPass Admin Console. This ensures that all LastPass user accounts can be still be recovered (via Master Password reset) if a critical setting is misconfigured or changed for federated login after setup is complete.

    Once you have completed all of these requirements, you will need to capture several key pieces of information during the setup process.  Open a text editor application and prepare the following fields:

    • Active Directory Custom Attribute:
    • Identity Provider URL:
    • Identity Provider Public Key:
    • Service Provider URL:
    Parent article: Set up federated login for LastPass using AD FS
    Next article: Step #2: Capture your Identity Provider URL and Identity Provider Public Key in LastPass