HELP FILE
User mapping in LastPass Universal Proxy
When the user types their Windows logon name in the VPN client, it can be found in the Active Directory. Starting from 4.0, the Windows logon name, that is, the sAMAccountName is used to authenticate the user with the LastPass Authentication service. No other user mapping procedure is needed as the AD Connector considers only the Windows logon name.
Important: The maximum length of the sAMAccountName is 20 characters. If the User Logon Name in AD is longer than 20 characters, it will be truncated in the sAMAccountName.
For version 3.x of LastPass Universal Proxy, the username in the LastPass Authentication service for the user can be different. In order to successfully authenticate the user with the LastPass Authentication service, we need to map the Active Directory username to the LastPass Authentication service username and send the login request to the LastPass Authentication service with this mapped username.
Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
In order to provide the login process described previously, the following applications and services should be present and co-operate with each other:
- VPN server
- LastPass Universal Proxy
- Active Directory service
- LastPass Authentication service
Important: In order to use LastPass Universal Proxy 4.x, an Active Directory Connector must be installed and an Active Directory must be present.
For more information on how the listed applications and services work together when the user attempts to log in, see What is LastPass Universal Proxy?.
Mapping strategies
We are mapping the username from the VPN server login request to the username in the LastPass Authentication service.
The following table shows when the Default/Multiple options mapping strategies are used in LastPass Universal Proxy 3.x:
Note: Multiple options strategy works only, if the Universal Proxy uses the LDAP or LDAPS protocol, therefore an Active Directory is present.
| Server mode | Mapping strategy | ||
|---|---|---|---|
| LDAP/LDAPS | RADIUS | ||
| LastPass MFA Authentication (LP) |
Default | Default | |
| Either LastPass MFA or system password (PLP) |
MFA authentication only | Multiple options | Default OR LDAP lookup |
| System password authentication only | No mapping, LastPass Authentication service is not called | No mapping, LastPass Authentication service is not called | |
| Both LastPass MFA and system password (SFA) |
Multiple options | Default OR LDAP lookup |
|
The following table shows the mapping input and output of the Default/Multiple options mapping strategies and examples:
| Default | Multiple options | LDAP lookup | |
|---|---|---|---|
| Input | username in login request from VPN server | username in login request from VPN server | username in login request from VPN server |
| Description | username + @ + value of domain property field in server.properties file
Important: Default mapping strategy works only, if login username and LastPass Authentication username before the @ are the same. For example, login user name john and the LastPass Authentication's user name john@company.com differs only after the @ character. |
|
Set the Identity user lookup using LDAP server if:
|
| Example | Login name: john LastPass Authentication name: john@company.com Mapping will work as john = john, next step is to add @ and the value of the domain field to this username. The result is john@company.com. |
Login name: john LastPass Authentication name: john_test@company.com The login name portion before @ is different therefore the LDAP lookup should be used. |