Add LastPass SSO Apps

App integrations (i.e., SSO apps, Cloud apps) are common online tools used within your company for which a LastPass admin has set up a single sign-on integration. This allows you to sign in to those apps using the same credentials that you use for LastPass.

Step #1: Add the SSO app

  1. Log in and access the LastPass Admin Console by doing either of the following:
    • While logged in to LastPass, click the active LastPass icon in your web browser toolbar, then select Admin Console in the menu.
    • Log in at!/dashboard with your admin username and Master Password.
  2. In the left navigation of the Admin Console, go to Applications > SSO apps.
  3. If you have not previously added SSO apps, click Add your first SSO app. Otherwise, click Add Application in the upper-right navigation.

  4. Under the "Select your app" section, choose one of the following options:
    • If your app is in the catalog, click the app name to select it.
    • If your app is not in the catalog yet, click on the Custom tab and enter a name in the App Name field.
      Note: If you add a custom app, you must click on the Service Provider section provide the ACS URL before you can save the app. You can find the ACS data from the app's Service Provider metadata or website.
    • If you want to copy the configuration of an app you have already set up, click the Copy tab then select the app from the drop-down menu.

Step #2: Set up your Identity Provider

  1. Under the "Identity Provider" section, the following items are listed, which you can copy and paste to a text editor application if needed:
  2. If desired, you can click the Download icon to download and save the LastPass Certificate (TXT) and/or Metadata (XML) files.

Step #3: Set up your Service Provider

Under the "Service Provider" section, enter the following, which can be retrieved by logging in to your SSO app and reviewing its configuration settings:
  • ACS (also known as the Post Back URL, Reply URL, or Single Sign-On URL) – This is the URL to which authentication responses (containing assertions) are returned. If you added a Custom app, the ACS information is required in order to save the app.
  • Entity ID (also known as the Issuer ID or App ID for your app) – This is the Metadata URL of the Service Provider.
  • Nickname – The name of the app how it appears in the Admin Console (and Cloud Apps, if your users have a LastPass password management Vault).

Step #4: Advanced setup (optional)

Under the "Advanced Setup" section, you can add any of the following additional customizations:
  • RoleLearn how to create roles.
  • IDP – Custom
  • Relay State – Custom
  • Identifier – Choose from Email, Secondary Email, User ID, Groups, Roles, or CustomID. By default, Email is selected
  • Step Up Authentication (optional) – Check the box to enable the use of the LastPass MFA app when signing in to your app
  • SAML Signature Method (optional) – Check the box(es) for using SHA1 and/or SHA256

Step #5: Manage custom attributes (optional)

  1. Under the "Custom Attributes" section, you can add various SAML attributes. Use the drop-down menu and choose from the following options:
    • Email
    • Secondary Email
    • User ID
    • First Name
    • Last Name
    • Groups
    • Roles
    • CustomID
    • Constant Value
  2. Optional: If desired, check the box(es) to enable any of the following:
    • Sign Assertion
    • Sign Request
    • Sign Response
    • Encrypt Assertion
  3. To add more attributes, click + Add SAML Attribute, then use the drop-down menu to make your selections.
  4. Optional: If desired, click Choose File to upload a Partner Certificate.

Step #6: Assign users to your app

During the app setup, you can click Save and assign to begin selecting users to assign. Otherwise if you have already saved the app, click the Assign Users icon for your app.
  1. You can assign new users or groups, or manage those already selected by doing either of the following:
    • To assign new, select the User or Group tab, then locate and click to select.
      Tip: You can deselect by clicking on the user or group again, or click Remove All to remove all selected users.

    • To manage selected, click the Selected tab to view all users and groups already assigned. If desired, click the Delete icon to remove users or groups.
  2. Click Save when finished.

Step #7: Configure and finalize the SSO app integration

You can now search our SSO App Catalog for your desired app, and follow the instructions in Part 2 and Part 3 to finish the SSO app integration setup.
Note: The SSO app integration for Office 365 has additional steps for manual configuration within Part 1.