HELP FILE

Advanced Enterprise Options

LastPass Enterprise provides the ability for admins to customize hundreds of settings to achieve the most secure and optimally performing solution for your organization. In the Advanced Enterprise Options of the Admin Console, admins can add and configure global domains and URLs, view a change log of Master Passwords, and much more.

Note: These features are only available to LastPass Enterprise admins.

Topics in this article:

Global Equivalent Domains

Global Never and Global Only URLs

Master Passwords change log

SAML Initialization

Enabled Multifactor Authentication Options

Duo Security integration

Splunk Integration

RSA SecurID via RADIUS authentication

Symantec VIP authentication

SecureAuth authentication

Global Equivalent Domains

LastPass Enterprise admins can add Global equivalent domains for their account to allow users to manage a single login for different domains that are related. Learn more.

Global Never and Global Only URLs

LastPass Enterprise admins can add Global Never and Global Only URLs in the Admin Console to control when you do or do not want LastPass to prompt your users for action. Learn more.

Master Passwords change log

As an admin, it's important for you to have access to a change log that allows you to view when your users last changed their Master Passwords, and take additional action if they need to be forced to log out and update it. Learn more.

SAML Initialization

You can view your SAML initialization status and start initialization as follows:

  1. Log in and access the Admin Console.
  2. Go to Advanced OptionsEnterprise OptionsSAML Initialization.
    • If SAML initialization was already started, you a confirmation message will be displayed that SAML has already been successfully initialized.
    • If you have not begun SAML initialization, click Initialize SAML.

Enabled Multifactor Authentication Options

LastPass Enterprise admins can restrict the Multifactor Authentication options available for use by users within their organization. Learn more.

Duo Security integration

To enable Duo Security integration for your LastPass Enterprise account, you can enter required information from your Duo Security console as follows:

  1. Log in and access the Admin Console.
  2. Go to Advanced OptionsEnterprise OptionsDuo Security.
    • If you need to create a Duo Security account, click the hyperlink then choose LastPass as your integration type during account creation.
    • If you already have a Duo Security account, fill in the following fields:
      • Duo Security integration key
      • Duo Security secret key
      • Duo Security API hostname
  3. Click Update when finished.

Splunk Integration

Splunk Integration allows a Splunk Administrator to collect LastPass Events and send them to their Splunk Cloud Instance via Rest API in near real-time. To set up data forwarding, you must configure an HTTP Event Collector for you Splunk Cloud Instance and copy the resulting Splunk Instance Token and Instance URL. The Integration becomes active within 24 hours, though potentially much sooner.

To enable Splunk integration for your LastPass Enterprise account, do the following:

  1. Log in and access the Admin Console.
  2. Go to Advanced OptionsEnterprise OptionsSplunk Integration.
  3. Enter your Splunk Instance Token and Splunk Instance URL (e.g., prd-my-instance.cloud.splunk.com:8080) Note: Do not add the "input-" prefix to the URL of the instance and use the port number.
  1. Click Update when finished.

RSA SecurID via RADIUS authentication

Note: To obtain a list of all LastPass server IP addresses and/or request a change for allowing your server's IP address to be explicitly allowed by our Operations team, please contact your assigned sales representative or send an email to support@lastpass.com.

LastPass supports RSA SecurID authentication via RADIUS. You must set up a RADIUS client for LastPass in your RSA Authentication Manager. Since RSA Authentication Manager does not let you specify multiple IP addresses for a RADIUS client, we recommend using the 'ANY Client' option, and using a separate firewall to restrict connections to the necessary IP addresses. If you use the "ANY Client" option, you also need to edit securid.ini and change CheckUserAllowedByClient from 1 to 0. This RADIUS client must be accessible from all LastPass server IP addresses.

Note: To obtain a list of all LastPass server IP addresses, please send an email to support@lastpass.com or contact your assigned sales representative.

LastPass uses an outbound firewall, so if you're using a port other than 1812 or 1645, your server's IP must be explicitly allowed by our Operations team.

Note: To make a request to our Operations team to explicitly allow your server's IP address , please send an email to support@lastpass.com or contact your sales representative.

To set up and enable LastPass Enterprise to support RSA SecurID authentication via RADIUS, do the following:

  1. Log in and access the Admin Console.
  2. Go to Advanced OptionsEnterprise OptionsRSA SecurID/RADIUS.
  3. Enter the following information:
    • RADIUS Server IP addresses Note: Separate multiple IP addresses with commas, append ':port' if not 1812 (e.g. 216.162.248.81,216.162.248.82:1645)
    • RADIUS Shared Secret
    • RADIUS Timeout (seconds)
    • Failure Message

    RADIUS can also be used to support other Multifactor Authentication options besides RSA Secure ID (e.g., SafeNet). If you would like to customize the name and logos that your users will see, do the following:

    • Enter a "Service Name"
    • Upload logo 1 (124x124 PNG)
    • Upload logo 2 (190x42 PNG)
  4. Click Update when finished.

Symantec VIP authentication

LastPass Enterprise supports Symantec VIP authentication. You must provide LastPass with a certificate. Within the Symantec VIP Manager console, go to Account > Manage VIP Certificates. Request a certificate for LastPass, then download it in PEM format.

You can integrate Symantec VIP with your LastPass Enterprise account as follows:

  1. Log in and access the Admin Console.
  2. Go to Advanced OptionsEnterprise OptionsSymantec VIP.
  3. Upload your certificate in PEM format.
  4. Enter your Certificate Password.
  5. Click Update when finished.

SecureAuth authentication

LastPass supports SecureAuth authentication. You must provide LastPass with your SecureAuth application ID, application key, and realm.

LastPass uses an outbound firewall so your server's IP must be explicitly allowed by our Operations team.

Note: To make a request to our Operations team to explicitly allow your server's IP address , please send an email to support@lastpass.com or contact your sales representative.

You can integrate SecureAuth with your LastPass Enterprise account as follows:

  1. Log in and access the Admin Console.
  2. Go to Advanced OptionsEnterprise OptionsSecureAuth.
  3. Enter the following information:
    • Application ID
    • Application Key
    • Realm
  4. Click Update when finished.