HELP FILE

User mapping in LastPass Universal Proxy

    When the user types their Windows logon name in the VPN client, it can be found in the Active Directory. Starting from 4.0, the Windows logon name, that is, the sAMAccountName is used to authenticate the user with the LastPass Authentication service. No other user mapping procedure is needed as the AD Connector considers only the Windows logon name.

    Important: The maximum length of the sAMAccountName is 20 characters. If the User Logon Name in AD is longer than 20 characters, it will be truncated in the sAMAccountName.

    For version 3.x of LastPass Universal Proxy, the username in the LastPass Authentication service for the user can be different. In order to successfully authenticate the user with the LastPass Authentication service, we need to map the Active Directory username to the LastPass Authentication service username and send the login request to the LastPass Authentication service with this mapped username.

    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?

    In order to provide the login process described previously, the following applications and services should be present and co-operate with each other:

    • VPN server
    • LastPass Universal Proxy
    • Active Directory service
    • LastPass Authentication service
    Important: In order to use LastPass Universal Proxy 4.x, an Active Directory Connector must be installed and an Active Directory must be present.

    For more information on how the listed applications and services work together when the user attempts to log in, see What is LastPass Universal Proxy?.

    Mapping strategies

    We are mapping the username from the VPN server login request to the username in the LastPass Authentication service.

    The following table shows when the Default/Multiple options mapping strategies are used in LastPass Universal Proxy 3.x:

    Note: Multiple options strategy works only, if the Universal Proxy uses the LDAP or LDAPS protocol, therefore an Active Directory is present.
    Table 1. User mapping strategies in LastPass Universal Proxy
    Server mode Mapping strategy
    LDAP/LDAPS RADIUS

    LastPass MFA Authentication

    (LP)

    Default Default

    Either LastPass MFA or system password

    (PLP)

    MFA authentication only Multiple options

    Default

    OR

    LDAP lookup

    System password authentication only No mapping, LastPass Authentication service is not called No mapping, LastPass Authentication service is not called

    Both LastPass MFA and system password

    (SFA)

    Multiple options

    Default

    OR

    LDAP lookup

    The following table shows the mapping input and output of the Default/Multiple options mapping strategies and examples:

    Table 2. Mapping input and output of the Default/Multiple options
      Default Multiple options LDAP lookup
    Input username in login request from VPN server username in login request from VPN server username in login request from VPN server
    Description

    username + @ + value of domain property field in server.properties file

    Important: Default mapping strategy works only, if login username and LastPass Authentication username before the @ are the same.

    For example, login user name john and the LastPass Authentication's user name john@company.com differs only after the @ character.

    • if the ldap.field.name value is not present in the server.properties file,
      1. the output is the value of the userPrincipalName field in the Active Directory
      2. If not present (userPrincipalName field is optional), then mail field value form Active Directory is used.
      3. If not present then "email" field value from Active Directory is used.
      4. If not present, then the Default mapping strategy is used.
    • if the ldap.field.name value is present in the server.properties file, that value in the Active Directory is the output user name.

    Set the Identity user lookup using LDAP server if:

    • there is an Active Directory server that is up and running in your network and can authenticate users,
    • the portion of the Windows logon name and LastPass Authentication service username before @ is different.
    Example

    Login name: john

    LastPass Authentication name: john@company.com

    Mapping will work as john = john, next step is to add @ and the value of the domain field to this username. The result is john@company.com.

     

    Login name: john

    LastPass Authentication name: john_test@company.com

    The login name portion before @ is different therefore the LDAP lookup should be used.