HELP FILE

How do I migrate from using AD FS to a cloud-based federated login for LastPass?

If you have set up your LastPass business account to provision users with federated login via AD FS and want to migrate to a cloud-based Identity Provider federated login solution (Azure AD or Okta) for LastPass, you can do so by defederating your users, uninstalling the LastPass AD Connector and LastPass Custom Attribute Store, then enabling federated login for your desired cloud-based solution.

Before you begin – please read!

WARNING! All users must be defederated BEFORE you remove the LastPass Custom Attribute Store (AD FS plugin) and Active Directory Connector, otherwise the K1 attribute will not be accessible, making the master key irretrievable.

Limitations and compatibility

  • Do not run the AD FS and cloud-based configurations concurrently to manage the same users.
  • There is currently no ability to take a mass action to defederate user accounts, this will need to be done manually for each user.
  • It is good practice to make a list of all users and their federated login status before beginning the process. This will help to ensure no one is left behind. Learn how to generate a report of your users.
  • After your users are defederated, user accounts will have a known Master Password. Once you set up cloud-based federated login, user accounts will need to log in with their known Master Password to complete the conversion to federated status.
  • Converting an account does not disable any Multifactor Authentication options that have been set up with the Identity Provider (Azure AD or Okta).

Step #1: Defederate your users

You can change your users' account status to defederated by resetting their Master Password. Our best recommendation is to require your users to change their Master Passwords upon next login, then for any users that haven't done so by the time you are ready to continue with this process you can manually reset their Master Passwords for them.

Require your users to reset their own Master Password

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Click Users in the left menu.
  3. Click to select your federated users.
  4. Click the More icon Elipsis in the upper-right corner.
  5. Click Require password change.
  6. Click OK.

The users will be prompted to change their Master Password upon their next login, which will change their user account status from federated to defederated, as indicated by the missing asterisk next to their name in the User list.

Reset each user's Master Password manually

If your admin account is enabled with the "Permit super admins to reset master passwords" policy, you can manually reset your federated users' Master Passwords for them.

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Click Users in the left menu.
  3. Click to select your desired federated user.
  4. Click OK.
  5. Enter your own Master Password, then click Submit.
  6. Enter a new Master Password for your user and confirm it.
  7. By default, the Force password change on next login option is enabled. We recommend keeping this option enabled so your user will be prompted to set their own Master Password upon their next login.
  8. Click Submit.

Your user's account status has now changed from federated to defederated, as indicated by the missing asterisk next to their name in the User list.

Step #2: Uninstall the LastPass AD Connector and LastPass Attribute Store

WARNING! All users must be defederated BEFORE you remove the LastPass Custom Attribute Store (AD FS plugin) and Active Directory Connector, otherwise the K1 attribute will not be accessible, making the master key irretrievable.

  1. Uninstall the LastPass AD Connector.
  2. Uninstall the LastPass Custom Attribute Store.

Step #3: Set Up Federated Login for Okta or Azure AD

Follow the instructions to set up federated login for LastPass using either Okta or Azure AD.