HELP FILE

Salesforce App Integration

Set up an app integration so that your user can sign into this app using the same credentials that they use for LastPass.

Part 1 - Add the SSO app to LastPass

  1. Log in and access the LastPass Password Manager Admin Console by doing either of the following:
    • While logged in to LastPass, click the active LastPass icon in your web browser toolbar, then select Admin Console in the menu.
    • Log in at https://lastpass.com/company/#!/dashboard with your admin username and Master Password.
  2. Go to Applications > SSO apps.
  3. If you have not previously added SSO apps, click Add your first SSO app. Otherwise, click Add app in the upper-right navigation.
  4. In the Search field, under the Select app section, search for your app in the catalog.

    Note: If you cannot find your app click Add an unlisted app.

  5. Click Continue.
  6. Go to this app’s settings to enable single sign-on. Make sure your app recognizes LastPass as the Identity Provider. Some apps allow you to upload settings in an XML file, while others require you to copy and paste the information below.

    Entity ID
    https://identity.lastpass.com
    SSO endpoint
    https://identity.lastpass.com/SAML/SSOService
    Logout URL
    https://identity.lastpass.com/Login/Logout
    Certificate
    Default is selected, or select another
    Certificate fingerprint
    Custom
    Certificate fingerprint (SHA256)
    Custom

  7. Optional: If needed, you can click the Download icon to download and save the LastPass Certificate (TXT) and/or Metadata (XML) files.
  8. Open a new web browser window or tab to proceed with the next steps.

Part 2 - App Configuration

  1. Open a new tab on your browser and log into Salesforce as an administrator using the following hyperlink: https://login.salesforce.com.
  2. On your top right side of the page, click on the Setup button and select Setup Home from the drop-down menu.

    setup home

  3. Before starting the configuration, make sure that you have a company domain set up.

    If you don't have a domain set up, please go to Company Settings > My Domain. Create a new domain, and make sure your domain name is in the format: yourworkdomain.my.salesforce.com.

    settings-domain salesforce_yourworkdomain

  4. From the left side menu, select Identity > Single Sign-on Settings.

    identity-sso

  5. Click edit to configure the Federated Single Sign-on Using SAML setting. Check the SAML enabled checkbox and click Save.

    enable saml enable saml checkbox

  6. To add a new entry for SAML Single Sign-on Settings – click on the New button.

    new idp config

  7. Please configure the information for SAML Single Sign-on Settings as follows:

    • Name: LastPass
    • API Name: Name of your choice
    • Issuer: https://identity.lastpass.com
    • Entity ID: If you have a custom domain setup, use https://[customDomain].my.salesforce.com. If you do not have a custom domain setup, use https://saml.salesforce.com
    • Identity Provider Certificate: Upload the certificate file you've just downloaded
    • Identity Provider Login URL: https://identity.lastpass.com/SAML/SSOService (SSO End Point copied from LastPass dashboard)
    • Identity Provider Logout URL: https://identity.lastpass.com/Login/Logout (Logout URL copied from LastPass dashboard)
    • Custom Error URL: https://identity.lastpass.com/SAML/SSOService (SSO End Point copied from LastPass dashboard)

  8. Click on Save.

  9. Copy the Salesforce Login URL. You will use it to configure your ACS URL on your LastPass dashboard.

  10. From the left side menu select Company Settings > My Domain. Then, scroll down and click on the Edit button next to Authentication Configuration.

    edit login page

  11. Uncheck the Login Page checkbox and check the LastPass checkbox instead.
  12. Click on Save.

Part 3 - Finalize the Salesforce SSO App Configuration

  1. Return to the LastPass Admin Console.
  2. On the LastPass Admin Console web browser window or tab you left open as the last step in Part 1, locate Set up LastPass.
  3. Under Service Provider, paste the Salesforce Login URL that you copied to the ACS field.
  4. Optional: Advanced settings, add any of the following additional customizations:

    Entity ID
    The name of the app how it appears in the Admin Console (and Cloud Apps, if your users have a LastPass password management Vault).
    Nickname
    (also known as the Issuer ID or App ID for your app) – This is the Metadata URL of the Service Provider.
    Role
    Learn how to create roles
    Identity Provider
    https://identity.lastpass.com
    Relay State
    URL to which the service provider redirects the user after processing the SAML response.
    Identifier
    Choose from Email, Secondary Email, User ID, Groups, Roles, or CustomID. By default, Email is selected. Depends on the configured app, check its support site.
    SAML Signature Method (optional)
    Check the box for using SHA1 and/or SHA256.
    Signing and encryption
    Check the box for using
    • Sign assertion
    • Encrypt assertion
    • Sign request
    • Sign response

  5. Optional: Click Upload partner certificate to upload a Partner Certificate.

    You can define custom attribute statements when creating a new SAML integration, or modifying an existing one. These statements are inserted into the SAML assertions shared with your app.

  6. Optional: To add more custom attributes, click Add SAML attribute, then use the drop-down menu to make your selections.
  7. During the app setup, you can click Save & assign users to begin selecting users to assign.
  8. To assign new users, click Assign users, groups & roles in the Users, groups & roles window.
    1. In the Assign users, groups & roles window select specific Users, Groups or Roles to assign.
    2. When selected, click Assign.
    3. Click Save & continue when finished in the Users, groups & roles window.
  9. Click Finish.

    If you have already set up and saved the app, click the app in the Applications > SSO apps Applications window. In the Configure app window click Save & edit users to Unassign or assign more users, groups and roles.

    Result: Your SSO app is now configured! The LastPass users you assigned to this SSO app can now log in and access the app using their LastPass account.