Step #7: Add API for LastPass in OneLogin
Add an API for LastPass in OneLogin. This is required to get your company's LastPassK1 (random company-wide key) into the access token that is used for logging users in to LastPass.
- Return to the OneLogin Admin portal.
- Select Developers in the top navigation, then select API Access Management.
- Select Add API.
Result: The Add API page displays.
- In the Name field, enter a name for the API. For example: LastPass API
- In the Resource Identifier field, enter: https://lastpass.com
- In the Audiences (comma delimited) field, enter: https://lastpass.com
- Click Save.
- Select Clients in the left navigation.
- Complete the following sub-steps for each app one by one (Desktop app, Android app, iOS app, Web app) to add them as clients:
- Select Add Client.
Result: The Add Client window pops up.
- In the Select OpenID Connect App field, search for and select the app that you are adding as a client.
- Click Next.
Result: The Add <app name> window pops up.
- Click Save (it is safe to ignore the message about scopes).
Result: At the end of this step, you should have all four OpenId Connect apps added as clients.
- Select Add Client.
- Select Claims in the left navigation.
- Select Add Claim.
Result: The Add Claim window pops up.
- In the Name field, enter: LastPassK1
- In the Value field, select - Macro -.
- To enter a value in the Macro Value field, complete the following steps:
- Return to the LastPass Admin Console at https://admin.lastpass.com/.
- Select .
- Select OneLogin.
- Locate the Random company-wide key and copy its value.
- Go back to the Macro Value field in OneLogin and paste the Random company-wide key value.
- Click Ok.
All of your newly populated federated users will receive a Welcome email informing them that they can now log in to use LastPass. Please note that your LastPass users must log in using the LastPass browser extension in order to use federated login for their OneLogin account with LastPass.
- If you have not done so yet, you can deploy the LastPass web browser extension across your organization.
- If desired, you can set up Multifactor Authentication at the Okta (Identity Provider) level.
- To see your end users' experience, please see Federated login experience for LastPass Business users.
- If your end users have linked personal accounts associated with their federated login account, see How do I verify my linked personal account for federated login in LastPass?.
- If you need to convert non-federated users to federated users, please see How do I convert an existing LastPass user to a federated (Azure AD, Okta, Google Workspace, PingOne, or OneLogin) user?