product icon

Step #2: Capture your Identity Provider URL and Identity Provider Public Key in LastPass

    Log in to your Active Directory Federation Services (AD FS) server and obtain your full Identity Provider URL (Federation Service name + Endpoint Token Issuance URL Path), and your Identity Provider Public Key.

    Identity Provider URL

    1. Log in to your Active Directory Federation Services (AD FS) server and start the AD FS Management tool.
    2. Right-click on Service > Edit Federation Service Properties.
    3. On the General tab, copy the URL within the Federation Service name field (e.g., fs.fabrikam.com) and paste it into a text editor. Be sure that the Federation Service name you enter into your text editor begins with "https://" as it is required to be a secure protocol (e.g., https://fs.fabrikam.com).
      Copy Federation Service Name

    Endpoint Token Issuance URL Path

    1. In the AD FS Management tool, go to Service > Endpoints.
    2. In the Token Issuance section, locate the entry with SAML 2.0/WS-Federation listed in the "Type" column (e.g., adfs/ls is the default path, but can vary depending on your environment).
    3. Copy the value within the URL Path field and paste it into a text editor at the end of the Identity Provider URL path so that it looks like this: https:// < Federation Service name > + < Endpoint Token Issuance URL Path >. For example, all 3 components combined would be https://fs.fabrikam.com/adfs/ls as your full Identity Provider URL.
      Copy AD FS Endpoint Token Issuance URL Path

    Identity Provider Public Key

    1. In the AD FS Management tool, go to Service Certificates.
    2. Right-click on the Token-signing Certificate entry and select View Certificate.
    3. Click on the Details tab, then click to select Public key.
    4. In the section below, highlight and copy the entire Public Key, then paste it into a text editor.

      Once your full Identity Provider URL and Identity Provider Public Key have been recorded in a text editor, proceed to the next step.

      Public Key from Details of Token-signing Certificate Properties

    Additional step for AD FS farm environments

    About this task:

    Confirm that each AD FS node has the same Token-signing certificate.

    Parent article: Set up federated login for LastPass using AD FS
    Previous article: Step #1: Ensure the required components checklist is complete in LastPass
    Next article: Step #3: Configure your LastPass Business federated login settings in LastPass