HELP FILE

PulseSecure VPN SSO App Integration

LastPass offers SAML integration with PulseSecure, therefore you can add PulseSecure as a Web App (SSO app).

Part 1 - Configuration on LastPass Dashboard

  1. Log in and access the LastPass Password Manager Admin Console by doing either of the following:
    • While logged in to LastPass, click the active LastPass icon in your web browser toolbar, then select Admin Console in the menu.
    • Log in at https://lastpass.com/company/#!/dashboard with your admin username and Master Password.
  2. Go to Applications > SSO apps.
  3. If you have not previously added SSO apps, click Add your first SSO app. Otherwise, click Add app in the upper-right navigation.
  4. In the Search field, under the Select app section, search for your app in the catalog.

    Note: If you cannot find your app click Add an unlisted app.

  5. Click Continue.
  6. Go to this app’s settings to enable single sign-on. Make sure your app recognizes LastPass as the Identity Provider. Some apps allow you to upload settings in an XML file, while others require you to copy and paste the information below.

    Entity ID
    https://identity.lastpass.com
    SSO endpoint
    https://identity.lastpass.com/SAML/SSOService
    Logout URL
    https://identity.lastpass.com/Login/Logout
    Certificate
    Default is selected, or select another
    Certificate fingerprint
    Custom
    Certificate fingerprint (SHA256)
    Custom

  7. Optional: If needed, you can click the Download icon to download and save the LastPass Certificate (TXT) and/or Metadata (XML) files.
  8. Open a new web browser window or tab to proceed with the next steps.

Part 2 - Configuration on PulseSecure

  1. Log on to your PulseSecure admin account.
  2. Click Auth. Servers in the left navigation.
  3. Click New Server to create a new SAML server.
  4. If SA Entity Id is empty, click SAML Settings.
  5. For "Host FQQN for SAML" enter your domain and click Save Changes.
  6. For "Server Name" enter a new server name.
  7. For the "Identity Provider Entity ID" enter https://identity.lastpass.com (the Entity ID for LastPass that you copied from Step #6 in the previous section).
  8. For the "Identity Provider Single Sign On Service URL" enter https://identity.lastpass.com/SAML/SSOService (the SSO End Point that you copied from Step #6 in the previous section).
  9. For "Upload Certificate" click Choose File and select the certificate you saved from Step #7 in the previous section, then click Save.
  10. Enter your desired values for the "Allowed Clock Skew" and "Metadata Validity" sections, then save changes.
  11. Copy the "SA Entity ID" and paste it into a text editor application.
  12. Click Save Changes.
  13. Go back to the PulseSecure Directory page, and for the "Authentication" field, add LP SSO.
  14. Click Save Changes.
  15. Open the Role Mapping tab and make sure that there is at least one defined role.
  16. Add a role if needed, then click Save Changes.

Part 3 - Finalizing the SSO Configuration

  1. Return to the LastPass Admin Console.
  2. On the LastPass Admin Console web browser window or tab you left open as the last step in Part 1, locate Set up LastPass.
  3. Paste the following URL into the ACS URL textbox: https://(Your Domain or IP Address)/dana-na/auth/saml-consumer.cgi
  4. Optional: Advanced settings, add any of the following additional customizations:

    Entity ID
    The name of the app how it appears in the Admin Console (and Cloud Apps, if your users have a LastPass password management Vault).
    Nickname
    (also known as the Issuer ID or App ID for your app) – This is the Metadata URL of the Service Provider.
    Role
    Learn how to create roles
    Identity Provider
    https://identity.lastpass.com
    Relay State
    URL to which the service provider redirects the user after processing the SAML response.
    Identifier
    Choose from Email, Secondary Email, User ID, Groups, Roles, or CustomID. By default, Email is selected. Depends on the configured app, check its support site.
    SAML Signature Method (optional)
    Check the box for using SHA1 and/or SHA256.
    Signing and encryption
    Check the box for using
    • Sign assertion
    • Encrypt assertion
    • Sign request
    • Sign response