Step #7: Add API for LastPass in OneLogin

Add an API for LastPass in OneLogin. This is required to get your company's LastPassK1 (random company-wide key) into the access token that is used for logging users in to LastPass.

About this task: The steps below are performed in OneLogin.

Note: After performing the instructions below, all of your newly populated federated users will receive a Welcome email informing them that they can now log in to use LastPass.

Return to the OneLogin Admin portal.
Select Developers in the top navigation, then select API Access Management.
Select Add API.
Result: The Add API page displays.
In the Name field, enter a name for the API. For example: LastPass API
In the Resource Identifier field, enter: https://lastpass.com
In the Audiences (comma delimited) field, enter: https://lastpass.com
Click Save.
Select Clients in the left navigation.
Complete the following sub-steps for each app one by one (Desktop app, Android app, iOS app, Web app) to add them as clients:
1. Select Add Client.
  Result: The Add Client window pops up.
2. In the Select OpenID Connect App field, search for and select the app that you are adding as a client.
3. Click Next.
  Result: The Add <app name> window pops up.
4. Click Save (it is safe to ignore the message about scopes).
  Result: At the end of this step, you should have all four OpenId Connect apps added as clients.
Select Claims in the left navigation.
Select Add Claim.
Result: The Add Claim window pops up.
In the Name field, enter: LastPassK1
In the Value field, select - Macro -.
To enter a value in the Macro Value field, complete the following steps:
1. Return to the LastPass Admin Console at https://admin.lastpass.com/.
2. Select Users > Federated login.
3. Select OneLogin.
4. Locate the Random company-wide key and copy its value.
5. Go back to the Macro Value field in OneLogin and paste the Random company-wide key value.
Click Ok.

Results: The setup is complete! You have successfully set up your LastPass Business account to use federated login with OneLogin.

All of your newly populated federated users will receive a Welcome email informing them that they can now log in to use LastPass. Please note that your LastPass users must log in using the LastPass browser extension in order to use federated login for their OneLogin account with LastPass.

What to do next:

If you have not done so yet, you can deploy the LastPass web browser extension across your organization.
If desired, you can set up Multifactor Authentication at the Okta (Identity Provider) level.
To see your end users' experience, please see Federated login experience for LastPass Business users.
If your end users have linked personal accounts associated with their federated login account, see How do I verify my linked personal account for federated login in LastPass?.
If you need to convert non-federated users to federated users, please see How do I convert an existing LastPass user to a federated (Azure AD, Okta, Google Workspace, PingOne, or OneLogin) user?

Parent article: Set Up Federated Login for LastPass Using OneLogin

Previous article: Step #6: Set up OneLogin federated login in LastPass