What are the limitations for LastPass users with federated login?
There are feature limitations that apply to LastPass Business users whose accounts are configured for federated login using AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin.
- Using the LastPass browser extension: Chrome/Firefox/Edge/Safari/IE/Opera
- Using the online web vault (LastPass website) on desktop web browsers as long as the LastPass browser extension is installed
- Using the LastPass desktop applications: LastPass for Windows Desktop, LastPass for macOS
- Using the LastPass Password Manager mobile apps: Android, iOS (iPhone/iPad)
Important: To support federated login via the mobile apps (specifically for Azure AD environments that have conditional access policies enforced), additional configuration steps are required:
- For new setups, follow the "optional" instructions Steps #24 – 31 in the Step #3: Configure the Login App for LastPass in Azure AD article and Step #5 in the Step #4: Configure Federated Login Settings for Azure AD in LastPass article
- For updating existing setups, follow the instructions in the article: How do I update my Azure AD federated login integration to allow logins from managed mobile devices?
- Android Wearables/Apple Watch
- If the LastPass desktop applications or the LastPass Password Manager mobile apps are managed via third-party (Non-Intune) MDM solutions
- Using the online web vault on mobile web browsers
- Using the online web vault (LastPass website) without the LastPass extension installed
- LastPass directory integrations have the following limitations:
- Different directory instances: Syncing from multiple directory instances is not supported. You can sync either from Active Directory, AD FS, Azure AD, Okta, Google Workspace, PingOne, or OneLogin.
- Multi-domain and multi-forest: This is a limitation of the LastPass AD Connector; at this time, you cannot sync from multiple domains and/or a multi-forest configuration in the case of Active Directory.
- No Offline access – The client side (web browser extension) must remain online in order to obtain the user's encryption key and unlock the user's LastPass vault. For this reason, offline login is not available.
- No One-Time Password – This feature is not available as the master password comes from the user's Active Directory (AD FS, Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin) environment.
- Limited account recovery options – For federated users, the organization's chosen Identity Provider (IdP) provides authentication. Therefore, password recovery can be done in either of the following ways:
- Password reset via the Active Directory user management (if applicable)
- Password reset via Azure AD, Okta, Google Workspace, PingOne, PingFederate, or OneLogin (if applicable)
- Password reset using the "Permit super admins to reset master passwords" policy within LastPass, however, this will change the user's status from federated to non-federated – please see Reset a User's Master Password (Super Admin) for more information.
- No multifactor authentication enabled within LastPass – Multifactor authentication must be set up at the Identity Service Provider level, not at the LastPass level. It must be disabled within the LastPass Admin Console (learn how here) and end user Account Settings (learn how here). If enabled within LastPass, it will result in federated users being unable to access their vault.
Important: Since it is required that you create at least one non-federated LastPass admin (who is also enabled with the “Permit super admins to reset Master Passwords” policy) during the setup process, that specific admin can enable multifactor authentication for their account at the LastPass level.Restriction: Workstation MFA cannot be used simultaneously with federated login (as federated login only supports multifactor authentication at the identity provider level, and Workstation MFA requires multifactor authentication at the LastPass level).
- No multifactor authentication policies enforced within LastPass – You must disable all multifactor authentication policies in the LastPass Admin Console (learn how here) because this authentication occurs at the Identity Provider level. If even one multifactor authentication policy is enabled in LastPass, it will result in federated users being unable to access their vault.
Note: Federated login users are granted an automatic increase of 10% on their security score since multifactor authentication must be set up at the Identity Provider level (within AD FS, Azure AD, Okta, PingOne, PingFederate, Google Workspace, or OneLogin settings) and not at the LastPass level (within the Multifactor Options tab in the Account Settings of their vault).
- No country restriction policy enforced within LastPass - You must disable all country restriction policies in the LastPass new Admin Console (learn how here) because this authentication occurs at the Identity Provider level. If a country restriction policy is enabled in LastPass, it will result in federated users being unable to access their vault.
- No country restriction enabled within LastPass for federated users - Federated users must disable the Country Restriction option in the Account Settings. If this option is enabled in LastPass, federated users might be unable to access their vault.
- Only Service Provider single sign-on (SSO) is supported – This means that you must always begin the login process from a LastPass component (e.g., web browser extension, mobile app, or desktop app) in order to be redirected to your organization's Identity Provider sign in page. Logging in via the LastPass website at https://lastpass.com/?ac=1 is not supported for federated users.
- About Linked Personal Accounts – Linked personal accounts must be verified on every new device (desktop or mobile) that a federated login user will use to log in to LastPass. This verification process must be done from every browser, desktop app, and/or mobile app that will be used for federated login on the new device(s).
- About the "Don't send welcome email" policy – This policy has no effect on federated users as these users must receive a Welcome email in order to activate their federated LastPass account.
- For AD FS and PingFederate – Automatic email changes and the customization of Welcome emails are not supported for users provisioned by Federated Login using AD FS (both the traditional and simplified versions) or PingFederate.
- Other policy limitations – All policies related to master password strength and/or master password rules will not affect federated users if enforced, and should be disabled at all times for those users. Learn how to manage your policies.
Please note that if a user's status changes from federated to non-federated (for example, due to a master password reset), the limitations listed above will be lifted but the user will still be required to adhere to company policies that have been applied to their LastPass Business account. However, you can convert these users back to a federated status again without the risk of data loss. Please see the instructions that apply to your federated login setup: