User mapping in LastPass Universal Proxy
When the user types their Windows logon name in the VPN client, it can be found in the Active Directory. Starting from 4.0, the Windows logon name, that is, the sAMAccountName is used to authenticate the user with the LastPass Authentication service. No other user mapping procedure is needed as the AD Connector considers only the Windows logon name.
For version 3.x of LastPass Universal Proxy, the username in the LastPass Authentication service for the user can be different. In order to successfully authenticate the user with the LastPass Authentication service, we need to map the Active Directory username to the LastPass Authentication service username and send the login request to the LastPass Authentication service with this mapped username.
In order to provide the login process described previously, the following applications and services should be present and co-operate with each other:
- VPN server
- LastPass Universal Proxy
- Active Directory service
- LastPass Authentication service
For more information on how the listed applications and services work together when the user attempts to log in, see What is LastPass Universal Proxy?.
We are mapping the username from the VPN server login request to the username in the LastPass Authentication service.
The following table shows when the Default/Multiple options mapping strategies are used in LastPass Universal Proxy 3.x:
|Server mode||Mapping strategy|
LastPass MFA Authentication
Either LastPass MFA or system password
|MFA authentication only||Multiple options||
|System password authentication only||No mapping, LastPass Authentication service is not called||No mapping, LastPass Authentication service is not called|
Both LastPass MFA and system password
The following table shows the mapping input and output of the Default/Multiple options mapping strategies and examples:
|Default||Multiple options||LDAP lookup|
|Input||username in login request from VPN server||username in login request from VPN server||username in login request from VPN server|
username + @ + value of domain property field in server.properties file
Important: Default mapping strategy works only, if login username and LastPass Authentication username before the @ are the same.
For example, login user name john and the LastPass Authentication's user name email@example.com differs only after the @ character.
Set the Identity user lookup using LDAP server if:
Login name: john
LastPass Authentication name: firstname.lastname@example.org
Mapping will work as john = john, next step is to add @ and the value of the domain field to this username. The result is email@example.com.
Login name: john
LastPass Authentication name: firstname.lastname@example.org
The login name portion before @ is different therefore the LDAP lookup should be used.