HELP FILE

How do I convert an existing LastPass user to a federated (Azure AD or Okta) user?

Once you have configured your LastPass Enterprise or LastPass Identity account to use federated login via Active Directory (using Azure AD or Okta), you may find that you have non-federated users – whose accounts existed before you set up your LastPass account to use federated login – that you want to convert to federated user accounts. To do so, you can use both the LastPass Admin Console and the Azure AD or Okta portal to migrate those existing users to become federated users without the risk of any data loss.

Before you begin...

  • As a best practice, it is recommended that you inform your non-federated users when their account will be converted to a federated status, as those users who are actively logged in to LastPass while their account is being migrated will be logged out once the migration process is complete. Once logged out, all newly federated users will be required to use their Active Directory account in order to log in to LastPass from now on. Additionally, an email notification is automatically sent to newly federated users that contains instructions for their new login experience going forward.

Limitations

  • Users can only be converted to a federated user if they are synchronized from Azure AD or Okta – this means they must be assigned to the LastPass application in Azure AD or Okta.
  • If an existing (non-federated) LastPass Enterprise or LastPass Identity user account has linked a personal account before they are migrated, the personal account will be unlinked during the migration process. Once complete, the newly federated user can log in and link their personal account again.
  • All federated users must always log in using a LastPass component (i.e., web browser extension, desktop app, or mobile app) in order to be redirected to your organization's Identity Provider (Azure AD or Okta) sign in page. This means that logging in to the online Vault via the website at https://lastpass.com/?ac=1 does not support federated login.

Step #1: Set up federated login for LastPass using Azure AD or Okta

Follow the instructions that apply to you:

Step #2: Select the users you want to convert in the Admin Console

  1. Log in to the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to SettingsFederated login in the left navigation.
  3. Select the Federated Users tab at the top. This will display a list of all non-federated users available for migration, as well as existing federated users.
  4. Click Select Users for Federated Login in the upper-right corner.
  5. You can use the Search field to filter and select individual users, or filter and click Select All for all filtered users.
  6. Once selected, click Close at the bottom of the window.
  7. Your selected users are now marked for conversion. These users are notified via email that their account is now enabled to use federated login, and instructions of their next steps (outlined below) on how to re-encrypt their Vault with their Azure AD or Okta account.

Select users or groups to convert to AD FS

Step #3: Selected users must log in to re-encrypt their Vault with their Azure AD or Okta account

Users selected for conversion in Step #2 above must log in to LastPass to re-encrypt their Vault with their Azure AD or Okta account, as follows:

  1. The user logs in with their existing username and Master Password via the LastPass web browser extension only.
  2. Upon logging in to LastPass, the user is redirected to their Azure AD or Okta (Identity Provider) sign in page where they must sign in with their Active Directory account.
  3. A progress bar is displayed to indicate that the user's LastPass Vault is being re-encrypted with their Azure AD or Okta account.
  4. Once complete, the user must log in again (using the LastPass web browser extension) but this time, when the user enters their LastPass username, the password field is removed and they are immediately redirected to their Azure AD or Okta sign in page.
  5. The user must sign in using their Azure AD or Okta account, which finalizes the account re-encryption.

Step #4: Selected users are all set!

The newly converted federated login user(s) must use their Azure AD or Okta account to sign in to LastPass going forward.

To see your end user's experience, please see Federated Login Experience for LastPass Users.

Related

What are the limitations for LastPass users with federated login?

Set Up Federated Login for LastPass Using Azure Active Directory

Set Up Federated Login for LastPass Using Okta