HELP FILE

Federated Login Experience for LastPass Enterprise Users

Once a LastPass Enterprise or LastPass Identity admin has set up federated login for an organization, new users are provisioned with a LastPass account that allows them to log in to LastPass with their existing Active Directory account (AD FS, Azure AD, or Okta) – no separate Master Password required!

The steps below outline the full user experience from the newly provisioned user's point of view.

Step #1: Download and install LastPass

First, you will need to download and install LastPass. If you are in a locked-down environment with limited privileges for downloading and installing applications, contact your admin to install LastPass for you.

Note:  Logging in to your online Vault via the LastPass website at https://lastpass.com/?ac=1 is not supported for federated users. You must log in using a LastPass component (i.e., web browser extension, desktop app, or mobile app) in order to authenticate.

Step #2: Activate federated login for LastPass

Once your LastPass account is a new federated login account, the activation steps will vary depending on your user account status when you were added to the company account.

Brand new federated login – user activation steps

Your Welcome email will include your LastPass username (email address) and a temporary Activation code that you will use to log in with (only once) so that your Vault can be de-crypted and re-encrypted to utilize your Azure AD or Okta account going forward – view email template.

Note:  These activation steps do not apply to federated login users provisioned via AD FS.
  1. Open the Welcome email you received.
  2. Copy the Activation code to your clipboard or a text editor application.
  3. Click Activate LastPass.
  4. Once redirected to the "Finish account creation" page, paste the Activation code into the field (your LastPass username is already pre-populated for you).
  5. Click Continue.
  6. You are redirected to your company's federated login page (Identity Provider sign-in page), where you can finish signing in to LastPass using your Azure AD or Okta account credentials.
    Your LastPass account is now activated to use federated login, and you will continue to use your Azure AD or Okta account credentials to access your LastPass Vault.

Existing LastPass user converted to a federated login – user activation steps

  1. Log in with your existing username and Master Password via the LastPass web browser extension only.
  2. A progress bar is displayed to indicate that your LastPass Vault is being re-encrypted with your Identity Provider account.
  3. Once complete, you must log in once again (using the LastPass web browser extension).
  4. You are redirected to your company's federated login page (Identity Provider sign-in page), where you can finish signing in to LastPass using your AD FS, Azure AD, or Okta account credentials.
    Your LastPass account is now activated to use federated login, and you will continue to use your AD FS, Azure AD, or Okta account credentials to access your LastPass Vault.

Step #3: Verify your linked personal account (if applicable)

If you have a linked personal account associated with your LastPass Enterprise or LastPass Identity account, you must verify your personal account before you can access your personal Vault.

Note: For security purposes, this verification process must be done for every new device that you use to log in to LastPass using federated login.

Step #4: Log in to LastPass

Once installed and activated, you can log in to LastPass using your Active Directory account. After you have authenticated, you will have continuous access to your LastPass Vault, unless otherwise configured within your organization's Active Directory and/or LastPass policies.

Login instructions will vary depending on whether you are logging into LastPass using the web browser extension, mobile app, or desktop application.

Using the LastPass web browser extension

  1. In your web browser toolbar, click the inactive LastPass icon .
  2. Enter your Active Directory email address, which will redirect you to your company's federated login page.
  3. Log in with your Active Directory credentials.
    An active LastPass icon is now displayed in your web browser toolbar to indicate a successful federated login.

Using LastPass for Windows Desktop application

  1. Open the LastPass for Windows Desktop applications on your desktop.
  2. Enter your Active Directory email address.
  3. Navigate to the password field, and a new authentication window will open and redirect to your company's federated login page.
  4. Log in with your Active Directory credentials.
  5. Return to the desktop application.
    You are automatically logged in to your LastPass Vault.

Using the LastPass Mac app

  1. Open the LastPass Mac app on your desktop.
  2. Enter your Active Directory email address.
  3. Once redirected to your company's federated login page, proceed to log in.
  4. Return to the desktop app.
    You are automatically logged in to your LastPass Vault.

Using the LastPass Password Manager app for iOS or Android

  1. Tap to open the LastPass Password Manager app for iOS or Android.
  2. Enter your Active Directory email address but do not enter your password.
  3. Tap Log In to continue the login process.
  4. Once redirected to your company's federated login page, proceed to log in by doing one of the following:
    • For AD FS federated login users – Enter your DOMAIN\username (e.g., LASTPASS\testuser) and password, then tap Sign in.
    • For Azure AD or Okta federated login users – Tap to select your Azure AD or Okta account, then enter your Azure AD or Okta password and tap Sign in.
  5. Return to the mobile app.
    You are automatically logged in to your LastPass Vault.
Learn more about using the LastPass Password Manager app for iOS or Android.

Step #5: Start using LastPass!

Once you log in, you can begin saving new site passwords, secure notes, and form fill items to your LastPass Vault.

About Master Password resets

Please note, as a federated user, you are unable to reset your Master Password within LastPass Account Settings – this must be done by your LastPass admin or within your Active Directory environment. If your Master Password is ever reset (either by an admin, or yourself due to a forced Master Password reset), your account will be converted to a non-federated user account.