Add LastPass SSO Apps
LastPass SSO apps are common online tools used within a company for which a LastPass Enterprise or Identity admin has set up a single sign-on integration. This allows users to sign in to those apps using the same credentials that are used for LastPass.
For those managing a LastPass MFA account, admins will need to add SSO apps, then enable Step Up Authentication to allow users to authenticate using the LastPass MFA app.
You must have a LastPass admin account in order to add SSO apps. Instructions will vary depending on your LastPass business account type.
Access the Admin Console
- Log in and access the LastPass Password Manager Admin Console by doing either of the following:
- While logged in to LastPass, click the active LastPass icon in your web browser toolbar, then select Admin Console in the menu.
- Log in at https://lastpass.com/company/#!/dashboard with your admin username and Master Password.
- In the left navigation of the Admin Console, select SSO, MFA, or SSO & MFA.
- Click Applications in the left menu, then select Web App.
- Click + Add Application in the upper-right navigation.
Step #1: Select your app
Under the "Select your app" section, use the Search field to locate your app.
- If your app is in the catalog, click the app name to select it.
- If your app is not in the catalog yet, click on the Custom tab and enter a name in the App Name field.
If you add a custom app, you must click on the Service Provider section provide the ACS URL before you can save the app. You can find the ACS data from the app's Service Provider metadata or website.
- If you want to copy the configuration of an app you have already set up, click the Copy tab then select the app from the drop-down menu.
Step #2: Set up your Identity Provider
- Under the "Identity Provider" section, the following items are listed, which you can copy and paste to a text editor application if needed:
- If desired, you can click the Download icon to download and save the LastPass Certificate (TXT) and/or Metadata (XML) files.
Step #3: Set up your Service Provider
Under the "Service Provider" section, enter the following, which can be retrieved by logging in to your SSO app and reviewing its configuration settings:
- ACS (also known as the Post Back URL, Reply URL, or Single Sign-On URL) – This is the URL to which authentication responses (containing assertions) are returned. If you added a Custom app, the ACS information is required in order to save the app.
- Entity ID (also known as the Issuer ID or App ID for your app) – This is the Metadata URL of the Service Provider.
- Nickname – The name of the app how it appears in the Admin Console (and Cloud Apps, if your users have a LastPass password management Vault).
Step #4: Advanced setup (optional)
Under the "Advanced Setup" section, you can add any of the following additional customizations:
- Role – Learn how to create roles.
- IDP – Custom
- Relay State – Custom
- Identifier – Choose from Email, Secondary Email, User ID, Groups, Roles, or CustomID. By default, Email is selected.
- Step Up Authentication (optional) – Check the box to enable the use of the LastPass MFA app when signing in to your app
- SAML Signature Method (optional) – Check the box(es) for using SHA1 and/or SHA256
Step #5: Manage custom attributes (optional)
Under the "Custom Attributes" section, you can add various SAML attributes. Use the drop-down menu and choose from the following options:
- Secondary Email
- User ID
- First Name
- Last Name
- Constant value
To add more attributes, click + Add SAML Attribute, then use the drop-down menu to make your selections.
Step #6: Assign users to your app
During the app setup, you can click Save and assign to begin selecting users to assign. Otherwise if you have already saved the app, click the Assign Users icon for your app.
- Click the User, Group, or Role tab, then locate and click to select. You can deselect by clicking on the user, group, or role again, or click Remove All to remove all selected users.
- Click Save when finished.
- Click the Selected tab to view all users, groups, and roles that have already been selected.
- To remove users, groups, or roles already selected, click the Delete icon .
- Click Save when finished.