How do I add SSO apps for LastPass users?
App integrations (that is, SSO applications) are common online tools used within your company for which a LastPass admin has set up a single sign-on integration. This allows you to sign in to those apps using the same credentials that you use for LastPass.
- SSO apps
- Apps are the site entries stored in a LastPass user's Vault and accessed by that user for which a LastPass admin has set up single sign-on.
- You can sign in to your SSO app and launch any of your web applications without re-entering your credentials.
Add the SSO app
- Log in with your email address and Master Password to access the new Admin Console at https://admin.lastpass.com.
- Go to .
- If you have not previously added SSO apps, click Add your first SSO app. Otherwise, click Add app in the upper-right navigation.
- In the Search field, under the Select app section, search for your app in the catalog. Note: If you cannot find your app click Add an unlisted app.
- Click Continue.
Set up app
- Go to this app’s settings to enable single sign-on. Make sure your app recognizes LastPass as the Identity Provider. Some apps allow you to upload settings in an XML file, while others require you to copy and paste the information below.
- Entity ID
- SSO endpoint
- Logout URL
- Default is selected, or select another
- Certificate fingerprint
- Certificate fingerprint (SHA256)
- If desired, you can click the Download icon to download and save the LastPass certificate (TXT) and/or metadata (XML) files.
Set up LastPass
- LastPass needs to know the app’s URI to the Assertion Consumer Service (ACS) to be able to authenticate users. This is provided by the app.
- The URL to which LastPass sends authentication assertions after authenticating a user. It may also be known as Post-Back URL, Reply URL, Single Sign-On URL, or Service Provider URL.
- Step-up authentication
- Enable this checkbox if you want to force users to confirm their identity using passwordless authentication via the LastPass Authenticator app (i.e., facial recognition or fingerprint identification instead of a password) upon each login to this app.
- Optional: Advanced settings, add any of the following additional customizations:
- Entity ID
- The name of the app how it appears in the Admin Console (and Cloud Apps, if your users have a LastPass password management Vault).
- (also known as the Issuer ID or App ID for your app) – This is the Metadata URL of the Service Provider.
- Learn how to create roles
- Identity Provider
- Relay State
- URL to which the service provider redirects the user after processing the SAML response.
- Choose from Email, Secondary Email, User ID, Groups, Roles, or CustomID. By default, Email is selected. Depends on the configured app, check its support site.
- SAML Signature Method (optional)
- Check the box for using SHA1 and/or SHA256.
- Signing and encryption
Check the box for using
- Sign assertion
- Encrypt assertion
- Sign request
- Sign response
- Optional: Click Upload partner certificate to upload a Partner Certificate.
You can define custom attribute statements when creating a new SAML integration, or modifying an existing one. These statements are inserted into the SAML assertions shared with your app.
- Optional: To add more custom attributes, click Add SAML attribute, then use the drop-down menu to make your selections.
Assign users to your app
- To assign new users, click Assign users, groups & roles in the Users, groups & roles window.
- Click Assign users, groups & roles, in the Assign users, groups & roles window select specific Users, Groups or Roles to assign.
- When selected, click Assign.
- Click Save & continue when finished in the Users, groups & roles window.
- Click Finish.