Step #5: Create and Configure an Authorization Server for LastPass

Step #5.1: Create an Authorization Server for LastPass

In the Okta admin portal, under the Security tab in the left navigation, select API.
Click Add Authorization Server and enter your desired values into the following fields. If you have no preference, enter the following values:

Name

LastPass

Audience

all

Description

lp –all
Click Save to finish adding your Authorization Server.

Step #5.2: Add a generated LastPassK1 to Authorization Server Claims

In the Okta admin portal, under the Security tab in the left navigation, select API.
Select the Authorization Server you added in Step #5.1.
Once on the page of your LastPass Authorization Server, click the Claims tab.
Click Add Claim in the upper-left navigation.
For the Name field, enter LastPassK1.
Set Include in token type to Access Token and its value to Always.
Return to the LastPass new Admin Console and click Users > Federated login in the top navigation.
Click the Okta tab.
Copy the random company-wide key or click Regenerate key to generate a new one.
Once you have generated the random company-wide key you would like to use, copy it and paste it into your text editor application.
Return to Okta and paste the random company-wide key into the Value field between single quotes that you must add on each side of the key (for example, ‘r4nd0mk3y’).
Set Value type to Expression.
Click Create when finished.
Warning: It is of critical importance that you do not change the random company-wide key once it has been saved in Okta.
If you modify the LastPassK1 Key that you use to set up federated login for your organization:

All of your LastPass users will instantly lose access to their vaults.

The only way to restore their access is to reset the master password for each individual LastPass user by utilizing the the “Permit super admins to reset master passwords” policy (strongly recommended before beginning setup).

Step #5.3: Add a new Access Policy for the Authorization Server

In the Okta admin portal, under the Security tab in the left navigation, select API.
Select the Authorization Server you added in Step #5.1.
Once on the page of your LastPass Authorization Server, click the Access Policies tab.
Click Add New Access Policy.
Enter your desired values for the following fields. If you have no preference, enter the following values:

Name

LastPass

Description

lpall
In the Assign to field, choose one of the following options:
- If you are planning to have only one login application (you will create this app in Step #7: Create a Single-Page Application for LastPass to Enable Login Using Okta) or you have multiple login applications and wish to apply the policy to all login applications, select All clients.
- If you have multiple login applications and wish to apply the policy selectively, choose The following clients. In the field that appears, start typing the name of any existing login application(s) that you want to apply the policy to. Select the relevant application(s) from the list provided. Once you have created the LastPass Okta login app in Step #7: Create a Single-Page Application for LastPass to Enable Login Using Okta, you will have to return here and select that app too.
Click Create Policy.
Back on the Access Policies tab, you should see your new access policy displayed. Click Add Rule.
Enter your desired value for the Rule Name field. If you have no preference, enter lpall.
In the Grant type > Client acting on behalf of itself section, make sure that the Client Credentials checkbox is disabled.
In the Grant type > Client acting on behalf of a user section, make sure that only the Authorization Code checkbox is enabled.
You can leave all other values as-is.
Optionally, in case you wish to assign specific scopes, select The following scopes:, then OIDC default scopes. This adds the following scopes:
- openid
- profile
- email
- address
- phone
- offline_access
Only openid, profile, and email are necessary.
Click Create Rule.

Parent article: Set Up Federated Login for LastPass Using Okta With an Authorization Server

Previous article: Step #4: Enable Provisioning to the LastPass Provisioning App in Okta

Next article: Step #6: Enable CORS for LastPass in Okta