HELP FILE

How do I migrate from using AD FS to a cloud-based federated login for LastPass?

If you have set up your LastPass Business account to provision users with federated login via AD FS and want to migrate to a cloud-based Identity Provider federated login solution (Azure AD or Okta) for LastPass, you can do so by defederating your users, uninstalling the LastPass AD Connector and LastPass Custom Attribute Store, then enabling federated login for your desired cloud-based solution.

Before you begin:

WARNING! All users must be defederated BEFORE you remove the LastPass Custom Attribute Store (AD FS plugin) and Active Directory Connector, otherwise the K1 attribute will not be accessible, making the master key irretrievable.

Limitations and compatibility:

  • Do not run the AD FS and cloud-based configurations concurrently to manage the same users.
  • There is currently no ability to take a mass action to defederate user accounts, this will need to be done manually for each user.
  • It is good practice to make a list of all users and their federated login status before beginning the process. This will help to ensure no one is left behind. Learn how to generate a report of your users.
  • After your users are defederated, user accounts will have a known Master Password. Once you set up cloud-based federated login, user accounts will need to log in with their known Master Password to complete the conversion to federated status.
  • Converting an account does not disable any multifactor authentication options that have been set up with the Identity Provider (Azure AD or Okta).

Step #1: Defederate your users

You can change your users' account status to defederated by resetting their Master Password (if your admin account is enabled with the "Permit super admins to reset master passwords" policy) by doing the following:

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Click Users in the left menu.
  3. Click to select your desired federated user.
  4. Click OK.
  5. Enter your own Master Password, then click Submit.
  6. Enter a new Master Password for your user and confirm it.
  7. By default, the Force password change on next login option is enabled. We recommend keeping this option enabled so your user will be prompted to set their own Master Password upon their next login.
  8. Click Submit.

    Result: Your user's account status has now changed from federated to defederated, as indicated by the missing asterisk next to their name in the User list.

Step #2: Uninstall the LastPass AD Connector and LastPass Attribute Store

WARNING! All users must be defederated BEFORE you remove the LastPass Custom Attribute Store (AD FS plugin) and Active Directory Connector, otherwise the K1 attribute will not be accessible, making the master key irretrievable.

  1. Uninstall the LastPass AD Connector.
  2. Uninstall the LastPass Custom Attribute Store.

Step #3: Set Up Federated Login for Okta or Azure AD

Follow the instructions to set up federated login for LastPass using either Okta or Azure AD.