product icon

Step #5: Create a new Service Provider (SP) Connection

    Once you have configured the LastPass Data Store, create a new Service Provider connection.

    About this task:
    Note: After performing the instructions below, all of your newly populated federated users will receive a Welcome email informing them that they can now log in to use LastPass.
      1. Open PingFederate.
      2. Select Applications > SP Connections > Create Connection.
      3. On the Connection Template tab, enable Do not use a template for this connection.
      4. Select Next.
      5. On the Connection Type tab, enable Browser SSO Profiles.
      6. Set the Protocol to SAML2.0.
      7. Select Next.
      8. On the Connection Options tab, enable Browser SSO if not enabled by default, then click Next.
      9. On the Import Metadata tab, select None.
      10. On the General info tab, enter https://accounts.lastpass.com in the Partner's Entity ID field.
      11. Enter LastPass in the Connection Name field.
      12. Select Next.

        Service Provider Connection Settings

      13. On the Browser SSO tab, select Configure Browser SSO.

      • Configure Browser SSO.

      1. Select Browser SSO > Configure Browser SSO.
      2. Select SP-initiated SSO.

      Configure Assertion Creation.

      1. On the Assertion Lifetime tab, keep the default values, then click Next.
      2. On the Assertion Creation tab, select Configure Assertion Creation.
      3. Select Standard in Identity Mapping, then click Next.
      4. On the Attribute Contract tab, select SAML_SUBJECT.
      5. Set the Subject Name Format to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
      6. Add the following attributes to Extend the Contract with the Attribute Name Format urn:oasis:names:tc:SAML:2.0:attrname-format-unspecified:
        • DirectoryUserName
        • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
        • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
        • LastPassKeyPart
        • LastPassKeyPartSignature

        Attribute Contract settings in PingFederate

      7. Select Next.

      Map new adapter instance.

      1. On the Authentication Source Mapping tab, select Map New Adapter instance.
      2. Select your desired Adapter Instance, then click Next.
      3. On the Mapping Method tab, enable Retrieve Additional attributes from multiple data stores using one mapping, then click Next.

      Add the Active Directory attribute source.

      1. On the Attribute Sources & User Lookup tab, select Add Attribute Source.
      2. On the Data Store tab, configure the following settings:
        Configuration settings Instructions
        Attribute Source ID 0
        Attribute Source Description Enter your description
        Active Data Store Active Directory
      3. Select Next.
      4. On the LDAP Directory search tab, configure the settings as follows:
        Configuration settings Instructions
        Base DN Enter your domain (for example, DC=testcorp,DC=com).
        Search Scope Set to SUBTREE_SCOPE.
        Attributes to return from search
        1. Set Root Object Class to Show All Attributes.
        2. Add the following attributes:
          • Subject DN
          • givenName
          • mail
          • sAMAccountName
          • sn
      5. Select Next.
      6. On the LDAP Filter tab, enter (sAMAccountName=${username}) in the "Filter" field.
      7. On the Summary tab, select Done.

        Data Store and LDAP settings in PingFederate

      Add the LastPass Data Store Directory attribute source.

      1. On the Attribute Sources & User Lookup tab, select Add Attribute Source.
      2. On the Data Store tab, configure the settings as follows:
        Configuration settings Instructions
        Attribute Source ID 1
        Attribute Source Description Enter your description
        Active Data Store LastPass Federated Login
      3. Select Next.
      4. On the Configure Data Source Filters tab, enter ${mail} into the "LASTPASSDATASTORE USERNAME" field (or enter the equivalent attribute name that contains the user’s email address).
      5. Select Next.
      6. On the Configure Data Source Fields tab, enable the LASTPASSKEYPART and LASTPASSKEYPARTSIGNATURE settings.
      7. On the Summary tab, select Done.

        Data Store and Data Source settings in PingFederate

      Configure the Attribute Contract Fulfillment mapping.

      1. On the Attribute Contract Fulfillment tab, configure the settings as follows:
        Attribute Contract Source Value
        Directory Username LDAP (AD) sAMAccountName
        LastPassKeyPart Other (LastPass) LastPassKeyPart
        LastPassKeyPartSignature Other (LastPass) LastPassKeyPartSignature
        SAML_SUBJECT Text LastPassFederatedLogin
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress LDAP (AD) mail
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname LDAP (AD) givenName
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname LDAP (AD) sn
      2. Select Next.

        Attribute Contract Sources and Values in PingFederate

      3. Optional: Specify any authorization condition(s) on the Issuance Criteria tab, then click Next.
      4. On the Summary tab, click Done.
      5. On the Assertion Creation tab, select Next.

      Configure the Protocol settings.

      1. On the Protocol Settings tab, select Configure Protocol Settings.
      2. On the Assertion Consumer Service URL tab, enable the Default setting.
      3. Set the SAML Binding to POST.
      4. Enter the Endpoint URL, which is the LastPass Assertion Consumer Service URL copied in Step #2.
      5. Select Next.
      6. On the Allowable SAML Bindings tab, enable the POST setting.
      7. Leave the default values for other settings as is.
      8. On the Summary tab, select Done.

        Service Provider Connections Summary with Protocol Settings in PingFederate

        Result: Your Browser SSO settings are configured.

      Set the credentials.

      1. On the Credentials tab, select Configure Credentials
      2. On the Digital Signature Settings tab, select your Signing Certificate.
      3. Enable the INCLUDE THE CERTIFICATE IN THE SIGNATURE <KEYINFO> ELEMENT setting, and then click Next.
      4. On the Summary tab, select Done.

        Service Provider Connections Credentials settings in PingFederate

      5. On the Credentials tab, click Next.
      6. Review your settings on the Activation & Summary tab.
      7. Select Save.
    Results: The setup is complete! You have successfully set up your LastPass Business account to use federated login with PingFederate.

    All of your newly populated federated users will receive a Welcome email informing them that they can now log in to use LastPass. Please note that your LastPass users must log in using the LastPass browser extension in order to use federated login for their PingFederate account with LastPass.

    Parent article: Set Up Federated Login for LastPass using PingFederate
    Previous article: Step #4: Register your Company-wide key with LastPass