Once you have configured the LastPass Data Store, create a new Service Provider connection.
-
- Open PingFederate.
- Select .
- On the Connection Template tab, enable Do not use a template for this connection.
- Select Next.
- On the Connection Type tab, enable Browser SSO Profiles.
- Set the Protocol to SAML2.0.
- Select Next.
- On the Connection Options tab, enable Browser SSO if not enabled by default, then click Next.
- On the Import Metadata tab, select None.
- On the General info tab, enter https://accounts.lastpass.com in the Partner's Entity ID field.
- Enter LastPass in the Connection Name field.
- Select Next.
- On the Browser SSO tab, select Configure Browser SSO.
- Configure Browser SSO.
- Select .
- Select SP-initiated SSO.
- Configure Assertion Creation.
- On the Assertion Lifetime tab, keep the default values, then click Next.
- On the Assertion Creation tab, select Configure Assertion Creation.
- Select Standard in Identity Mapping, then click Next.
- On the Attribute Contract tab, select SAML_SUBJECT.
- Set the Subject Name Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
- Add the following attributes to Extend the Contract with the Attribute Name Format urn:oasis:names:tc:SAML:2.0:attrname-format-unspecified:
- DirectoryUserName
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- LastPassKeyPart
- LastPassKeyPartSignature
- Select Next.
- Map new adapter instance.
- On the Authentication Source Mapping tab, select Map New Adapter instance.
- Select your desired Adapter Instance, then click Next.
- On the Mapping Method tab, enable Retrieve Additional attributes from multiple data stores using one mapping, then click Next.
- Add the Active Directory attribute source.
- On the Attribute Sources & User Lookup tab, select Add Attribute Source.
- On the Data Store tab, configure the following settings:
| Configuration settings |
Instructions |
| Attribute Source ID |
0 |
| Attribute Source Description |
Enter your description |
| Active Data Store |
Active Directory |
- Select Next.
- On the LDAP Directory search tab, configure the settings as follows:
| Configuration settings |
Instructions |
| Base DN |
Enter your domain (for example, DC=testcorp,DC=com). |
| Search Scope |
Set to SUBTREE_SCOPE. |
| Attributes to return from search |
- Set Root Object Class to Show All Attributes.
- Add the following attributes:
- Subject DN
- givenName
- mail
- sAMAccountName
- sn
|
- Select Next.
- On the LDAP Filter tab, enter (sAMAccountName=${username}) in the "Filter" field.
- On the Summary tab, select Done.
- Add the LastPass Data Store Directory attribute source.
- On the Attribute Sources & User Lookup tab, select Add Attribute Source.
- On the Data Store tab, configure the settings as follows:
| Configuration settings |
Instructions |
| Attribute Source ID |
1 |
| Attribute Source Description |
Enter your description |
| Active Data Store |
LastPass Federated Login |
- Select Next.
- On the Configure Data Source Filters tab, enter ${mail} into the "LASTPASSDATASTORE USERNAME" field.
- Select Next.
- On the Configure Data Source Fields tab, enable the LASTPASSKEYPART and LASTPASSKEYPARTSIGNATURE settings.
- On the Summary tab, select Done.
- Configure the Attribute Contract Fulfillment mapping.
- On the Attribute Contract Fulfillment tab, configure the settings as follows:
| Attribute Contract |
Source |
Value |
| Directory Username |
LDAP (AD) |
sAMAccountName |
| LastPassKeyPart |
Other (LastPass) |
LastPassKeyPart |
| LastPassKeyPartSignature |
Other (LastPass) |
LastPassKeyPartSignature |
| SAML_SUBJECT |
Text |
LastPassFederatedLogin |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
LDAP (AD) |
mail |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
LDAP (AD) |
givenName |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
LDAP (AD) |
sn |
- Select Next.
- Optional: Specify any authorization condition(s) on the Issuance Criteria tab, then click Next.
- On the Summary tab, click Done.
- On the Assertion Creation tab, select Next.
- Configure the Protocol settings.
- On the Protocol Settings tab, select Configure Protocol Settings.
- On the Assertion Consumer Service URL tab, enable the Default setting.
- Set the SAML Binding to POST.
- Enter the Endpoint URL, which is the LastPass Assertion Consumer Service URL copied in Step #2.
- Select Next.
- On the Allowable SAML Bindings tab, enable the POST setting.
- Leave the default values for other settings as is.
- On the Summary tab, select Done.
Result: Your Browser SSO settings are configured.
- Set the credentials.
- On the Credentials tab, select Configure Credentials
- On the Digital Signature Settings tab, select your Signing Certificate.
- Enable the INCLUDE THE CERTIFICATE IN THE SIGNATURE <KEYINFO> ELEMENT setting, and then click Next.
- On the Summary tab, select Done.
- On the Credentials tab, click Next.
- Review your settings on the Activation & Summary tab.
- Select Save.
The setup is complete! You have successfully set up your
LastPass Business account to use federated login with PingFederate.
All of your newly populated federated users will receive a Welcome email informing them that they can now log in to use LastPass. Please note that your LastPass users must log in using the LastPass browser extension in order to use federated login for their PingFederate account with LastPass.