product icon

Step #9: Set Up Federated Login for Okta in LastPass with PKCE Enabled

    Configure federated login settings for Okta in LastPass.

    1. In the Okta admin portal, under Applications in the left navigation, select Applications. Find your LastPass Okta Login single-page application. Click the entry of the application, then click the General tab.
    2. In the Client Credentials section, copy the Client ID and paste it into your text editor application.
    3. Return to the LastPass new Admin Console, then select Users > Federated login.
    4. Click the Okta tab.
    5. Paste the Client ID (that you copied in Step 2 in this section) into the Client ID field.
    6. Return to the Okta portal and the LastPass Okta Login single-page application. Under Security in the left navigation, click API.
    7. Click the name of the Authorization Server you created in section Step #5.1: Create an Authorization Server for LastPass.
    8. Open the Metadata URI in a new tab.
      Note: Contact Okta support to help adding the default base endpoint URL for the LastPass application. LastPass does not support custom domains.
    9. At the end of the Metadata URL (in the address bar of your web browser tab), replace oauth-authorization-server with openid-configuration.
    10. Hit enter or open a new web browser tab to navigate to the modified URL, which will confirm that the requested page is valid and exists.
    11. Copy the modified URL and paste it into your text editor application.
    12. Return to the LastPass new Admin Console Users > Federated login page with the Okta tab still selected, then paste the modified Metadata URI (that you copied in Step 11 in this section) into the OpenID URL field.
    13. Do one of the following steps:
      • Check the box for Use LastPass AD Connector to sync users if you want to enable a Federated Hybrid setup.
      • Check the box for the Use Okta Authorization Server to store company-wide key setting if you want to enable Federated only setup and get the Authorization Server info from Step #5: Create and Configure an Authorization Server for LastPass.
    14. Check the box for the Enabled setting.
    15. If desired, check the box for Don't send username/email hint to IdP to prevent the username field from populating automatically when the user is redirected to Okta.
    16. Check the box for Enable PKCE flow.
      This is required for security hardening. The Authorization Code flow with a Proof Key for Code Exchange (PKCE) is the recommended method for controlling the access between your application and a resource server.
    17. Click Save changes when finished.
      Open URL and Client ID settings for Okta in LastPass
    Parent article: Set Up Federated Login for LastPass Using Okta With an Authorization Server
    Previous article: Step #8: Enable the Authorization Code Grant Type for Your Single-Page App
    Next article: Step #10: Assign the User to the LastPass Provisioning Application