How do I convert an existing LastPass user to a federated (AD FS) user?
Once you have configured your LastPass Enterprise or LastPass Identity account to use federated login via Active Directory (using AD FS), you may find that you have standard non-federated users (whose accounts existed before you set up your LastPass account to use federated login) or defederated users (whose accounts were previously federated) that you want to convert to federated user accounts. To do so, you can use both the Admin Console combined with the LastPass AD Connector to migrate those existing users to become federated users without the risk of any data loss.
Before you begin...
- As a best practice, it is recommended that you inform your non-federated users when their account will be converted to a federated status, as those users who are actively logged in to LastPass while their account is being migrated will be logged out once the migration process is complete. Once logged out, all newly federated users will be required to use their Active Directory credentials in order to log in to LastPass from now on. Additionally, an email notification is automatically sent to newly federated users that contains instructions for their new login experience going forward.
- Converting existing users to a federated user status is only supported if the users are listed in the provisioning groups within the user group filter of the Sync settings for the LastPass AD Connector (instructions here) and were synced to LastPass via the LastPass AD Connector.
- Users that were created manually or by another method are unable to be converted to federated users using the steps outlined below. For those existing users created by another method, the user's account must be deleted (not disabled or removed) before they can be created as a new federated user. To ensure that the user's LastPass account data can be fully restored without data loss during this process, it is required that the user exports their LastPass Vault before their account is deleted.
- Once the migration process has been started on the LastPass AD Connector, all active syncing will be paused, and will resume again after the migration process is complete.
- If an existing (non-federated) LastPass Enterprise or LastPass Identity user account has linked a personal account before they are migrated, the personal account will be delinked during the migration process. Once complete, the newly federated user can log in and link their personal account again.
- All federated users must always log in using a LastPass component (i.e., web browser extension, desktop app, or mobile app) in order to be redirected to your organization's Identity Provider (AD FS) sign in page. This means that logging in via the website at https://lastpass.com/?ac=1 does not support federated login.
Step #1: Set up federated login for LastPass Enterprise or LastPass Identity using AD FS
Follow the instructions to Set Up Federated Login for LastPass using AD FS.
Step #2: Select the users you want to convert in the Admin Console
- Log in to the Admin Console at https://lastpass.com/company/#!/dashboard.
- Go to Settings > Federated login in the left navigation.
- Select the Federated Users tab at the top. This will display a list of all non-federated users available for migration, as well as existing federated users.
- Click Select Users for Federated Login in the upper-right corner.
- You can use the Search field to filter and select individual users, or filter and click Select All for all filtered users.
- Once selected, click Close at the bottom of the window. Your selected users are now marked for conversion.
Step #3: Migrate your selected users in the LastPass AD Connector
- Open the LastPass AD Connector and log in with your LastPass Enterprise or LastPass Identity account.
- Select Migration in the left navigation.
- When ready, click Migrate, and the progress of the migration is displayed.
- Once the migration is complete, a confirmation message is displayed that includes:
- The total amount of selected users that were converted to a federated user status
- The file path of the migration report in XML format
Step #4: Check federated user statuses in Admin Console
Once the LastPass AD Connector displays that the migration is complete, return to the Admin Console to oversee the progress of your federated user migration.
- In the Admin Console, go to Settings > Federated login in the left navigation.
- Click the Federated Users tab at the top.
- The Status column will display:
- "In Processing" for those whose accounts are still in progress of migrating
- "Federated" for those whose accounts have been successfully migrated
You're all set!
Once all of your users have been migrated, your newly federated users will receive an email containing instructions on how they can log in using their federated account.
- To see your end user's experience, please see Federated Login Experience for LastPass Users.
- For additional help with troubleshooting, please see Troubleshooting Federated Login for Active Directory Federation Services (AD FS).