HELP FILE

Step #5: Create and Configure an Authorization Server for LastPass

    Step #5.1: Create an Authorization Server for LastPass

    1. In the Okta admin portal, under the Security tab in the left navigation, select API.
    2. Click Add Authorization Server and enter your desired values into the following fields. If you have no preference, enter the following values:

      Name
      LastPass
      Audience
      all
      Description
      lp –all

    3. Click Save to finish adding your Authorization Server.

    Step #5.2: Add a generated LastPassK1 to Authorization Server Claims

    1. In the Okta admin portal, under the Security tab in the left navigation, select API.
    2. Select the Authorization Server you added in Step #5.1.
    3. Once on the page of your LastPass Authorization Server, click the Claims tab.
    4. Click Add Claim in the upper-left navigation.
    5. For the Name field, enter LastPassK1.
    6. Set Include in token type to Access Token and its value to Always.
    7. Return to the LastPass new Admin Console and click Users > Federated login in the top navigation.
    8. Click the Okta tab.
    9. Copy the random company-wide key or click Regenerate key to generate a new one.
    10. Once you have generated the random company-wide key you would like to use, copy it and paste it into your text editor application.
    11. Return to Okta and paste the random company-wide key into the Value field between single quotes that you must add on each side of the key (for example, ‘r4nd0mk3y’).
    12. Set Value type to Expression.
    13. Click Create when finished.

      Warning: It is of critical importance that you do not change the random company-wide key once it has been saved in Okta.
      If you modify the LastPassK1 Key that you use to set up federated login for your organization:

    Step #5.3: Add a new Access Policy for the Authorization Server

    1. In the Okta admin portal, under the Security tab in the left navigation, select API.
    2. Select the Authorization Server you added in Step #5.1.
    3. Once on the page of your LastPass Authorization Server, click the Access Policies tab.
    4. Click Add New Access Policy.
    5. Enter your desired values for the following fields. If you have no preference, enter the following values:

      Name
      LastPass
      Description
      lpall

    6. In the Assign to field, choose one of the following options:
    7. Click Create Policy.
    8. Back on the Access Policies tab, you should see your new access policy displayed. Click Add Rule.
    9. Enter your desired value for the Rule Name field. If you have no preference, enter lpall.
    10. In the Grant type > Client acting on behalf of itself section, make sure that the Client Credentials checkbox is disabled.
    11. In the Grant type > Client acting on behalf of a user section, make sure that only the Authorization Code checkbox is enabled.
    12. You can leave all other values as-is.

      Optionally, in case you wish to assign specific scopes, select The following scopes:, then OIDC default scopes. This adds the following scopes:

      • openid
      • profile
      • email
      • address
      • phone
      • offline_access

      Only openid, profile, and email are necessary.

    13. Click Create Rule.