HELP FILE

Set Up Federation Services for LastPass Enterprise

LastPass Enterprise account admins can set up and configure Active Directory Federation Services (AD FS) to be used to create new users via the LastPass Active Directory Connector as an automated means of provisioning. For users, this means that they will use their organization's Active Directory credentials to log in to LastPass without ever having to create a second Master Password.

Before you begin implementation...

  • It is highly recommended that you create a non-production Active Directory environment with Federation Services so that you can familiarize yourself with AD FS for LastPass Enterprise.
    • Your test environment should also include a non-production version of the components in Step #1 (including creating a separate LastPass Enterprise trial account for testing). Please follow all of the set up steps below using your non-production LastPass Enterprise account with your test environment first to avoid any unintentional user account data loss.
  • It is also strongly recommended that you implement Multifactor Authentication for your users, however, please be aware of the following:
    • You must set up Multifactor Authentication at the Identity Provider level (AD FS), and not at the LastPass level (via the Admin Console and/or end user Account Settings). Using Multifactor Authentication within LastPass is not supported for federated users, and will result in those users being unable to access their Vault.
    • You cannot enforce Multifactor Authentication policies in the LastPass Admin Console because this authentication will occur outside of LastPass, between your Identity Provider (AD FS) and your authentication service. For this reason, we recommend enforcing Multifactor Authentication policies in AD FS.

Limitations that apply to federated users

The following LastPass Enterprise features have limitations that will apply to federated users only:

  • No Offline access – The client side (web browser extension) must remain online in order to obtain the user's encryption key and unlock the user's LastPass Vault. For this reason, offline login is not available.
  • No linked personal account – Linked personal accounts are not supported for federated users. This means that a federated user cannot link their personal account to their LastPass Enterprise account. Learn more.
  • No One-Time Password – This feature is not available as the Master Password comes from the user's Active Directory environment, therefore they must authenticate using the password known by the Active Directory Federation Services.
  • Limited Account recovery options – For federated users, the Master Password comes from the user's Active Directory environment. Therefore, password recovery can be done in either of the following ways:
    • Password reset via the user's Active Directory or Federation Services user management
    • Password reset using the "Super Admin Master Password Reset" policy within LastPass, however, this will convert a federated user to a non-federated user – for more information, please see Reset a User's Master Password (Super Admin) for more information
  • No Multifactor Authentication enabled within LastPass – Multifactor Authentication set up within LastPass is not supported for federated users. It is strongly recommended that you set up Multifactor Authentication, however, this must be set up at the Identity Service Provider level (AD FS) – not within the LastPass Admin Console or end user Account Settings – as it will result in federated users being unable to access their Vault.
  • No Multifactor Authentication policies enforced within LastPass – Since Multifactor Authentication must be set up at the Identity Provider level (AD FS), you cannot enforce Multifactor Authentication policies in the LastPass Admin Console. Because this type of authentication occurs outside of LastPass – between your Identity Provider and your authentication service – even enabling 1 Multifactor Authentication policy in LastPass will result in federated users being unable to access their Vault. For this reason, we recommend enforcing Multifactor Authentication policies in AD FS.

If a federated user is ever converted to a non-federated user, the limitations above will be lifted but the user's account will still be required to adhere to company policies that have been applied to their LastPass Enterprise account.
Additionally, only new users can be provisioned as federated users. To provision a federated user status to either an existing LastPass user (that has already created a Master Password) or a user whose Master Password must be reset (which will convert them to a non-federated user), their LastPass account must be deleted and recreated again as a federated user account.

To ensure that the user's LastPass account data can be fully restored without data loss during this process, it is required that the user logs in and exports their Vault prior to being deleted, as follows:

  1. Reset the user's Master Password.
  2. Once the user has logged in to their account, they must export their LastPass account data.
  3. When they confirm their account has been exported, you can then delete the user's account.
  4. The LastPass Active Directory Connector will detect them as a new user and provision them as a federated user.
  5. Once they log in to LastPass as a federated user (utilizing their current Active Directory credentials), they can import their LastPass account data to restore their Vault.

Step #1: Ensure the required components checklist is complete

Before you can begin using Active Directory Federation Services with LastPass Enterprise, you must already have the following set up (for both non-production and live environments):

  • An active LastPass Enterprise account that includes:
    • At least 1 admin account enabled
    • A user seat count that matches (or exceeds) the user count that will be synced with your Active Directory (both non-production and live environments) Note: If you are testing in your non-production environment, it is recommended to set up a separate LastPass Enterprise test account, which you can register for here.
  • Active Directory server environments (both non-production and live) that meet the following requirements:
    • Both environments are set up and configured to use Federation Services (AD FS 3.0 or AD FS 4.0 on either Windows Server 2012 R2 or Windows Server 2016 with the latest updates installed, including .Net Framework)
    • You have created a custom attribute field (or re-purposed an existing attribute that was available to customize) and it has been set as a confidential bit (which allows you to set the read permissions only for privileged admins) and confirmed that it is listed in both your non-production and live Active Directory environments
    • Your firewall settings are configured to reach https://www.lastpass.com and its subdomains (*.lastpass.com) and you confirmed they are not blocked by any firewall rule on all of your AD FS servers.
    • The user running the AD FS service has been granted the "CONTROL ACCESS" permission.
  • The "Super Admin Master Password Reset" policy enabled
    • It is required that this policy is enabled on both the non-production and live versions of your LastPass Enterprise accounts (which allows you to reset a user's Master Password) – please note that for federated users, resetting their Master Password is the only way to convert them to a non-federated user status because the Master Password will no longer match that of which is stored in Active Directory – learn more

Once you have completed all of these requirements, you will need to capture several key pieces of information during the setup process.  Open a text editor application and prepare the following fields:

  • Active Directory Custom Attribute
  • Identity Provider URL
  • Identity Provider Public Key
  • Service Provider URL

After these fields have been prepared in your text editor, proceed to the next step.

Step #2: Capture your Identity Provider URL and Identity Provider Public Key

Next, you will need to log in to your Active Directory Federation Services (AD FS) server and obtain your full Identity Provider URL (Federation Service name + Endpoint Token Issuance URL Path), and your Identity Provider Public Key.

Identity Provider URL:

  1. Log in to your Active Directory Federation Services (AD FS) server and start the AD FS Management tool.
  2. Right-click on Service > Edit Federation Service Properties.
  3. On the General tab, copy the URL within the Federation Service name field (e.g., fs.fabrikam.com) and paste it into a text editor. Be sure that the Federation Service name you enter into your text editor begins with "https://" as it is required to be a secure protocol (e.g., https://fs.fabrikam.com).

Copy Federation Service Name

Endpoint Token Issuance URL Path:

  1. In the AD FS Management tool, go to ServiceEndpoints.
  2. In the Token Issuance section, locate the entry with SAML 2.0/WS-Federation listed in the "Type" column (e.g., adfs/ls is the default path, but can vary depending on your environment).
  3. Copy the value within the URL Path field and paste it into a text editor at the end of the Identity Provider URL path so that it looks like this: https:// <Federation Service name> + <Endpoint Token Issuance URL Path>. For example, all 3 components combined would be https://fs.fabrikam.com/adfs/ls as your full Identity Provider URL.

Copy AD FS Endpoint Token Issuance URL Path

Identity Provider Public Key:

  1. In the AD FS Management tool, go to ServiceCertificates.
  2. Right-click on the Token-signing Certificate entry and select View Certificate.
  3. Click on the Details tab, then click to select Public key.
  4. In the section below, highlight and copy the entire Public Key, then paste it into a text editor.

Once your full Identity Provider URL and Identity Provider Public Key have been recorded in a text editor, proceed to the next step.
Public Key from Details of Token-signing Certificate Properties

Additional step for AD FS farm environments:

  • Confirm that each AD FS node has the same Token-signing certificate.

Step #3: Configure your LastPass Enterprise Federated Login Settings

If you have already installed the LastPass Active Directory Connector, you must stop the service and exit the ADC application. You will need to start it at a later step.

Now that you have obtained all of the necessary information, you can configure your LastPass Enterprise Federated Login settings as follows:

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to SettingsFederated login in the left menu.
  3. In the Provider URL field, paste your full Identity Provider URL (i.e., https:// + Federation Service name + Endpoint Token Issuance URL Path) that you obtained in Step #2.
  4. In the Public key field, paste your Identity Provider Public Key that you obtained from Step #2.
  5. Click Save Settings.
  6. Once saved, the Service Provider URL field below will be generated automatically. Copy your Service Provider URL and paste it into a text editor.
  7. Add the custom attribute (that you created or re-purposed and configured in Step #1) in the "Configure AD Connector" section, then click Save.
  8. Once all of the fields have been updated in both sections, an "Enabled" checkbox will be displayed in the "Configure AD FS" section.

Federated Login Configuration in Enterprise Admin Console

Step #4: Install the LastPass Active Directory Connector

TIP! Create a small control group of users in Active Directory to be used initially for the steps below.

  1. Install the LastPass Active Directory Connector or, if it's already installed, open the application.
  2. Configure the LastPass Active Directory Connector by selecting ActionsWhen a user is detected in Active Directory > Automatically create user in LastPass (within your local non-production and live environments). This option must be selected in order for federated users to be created via AD FS. Additionally:
    • The user running the LastPass Active Directory Connector must be granted the "CONTROL ACCESS" permission.
    • Configure at least 1 group to be synced to LastPass – it is recommended to start with a small control group of a few users for testing
  3. Once all of the configurations are in place, go to HomeEnable sync.
  4. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  5. Go to Users in the left menu to see your users populate as they are synced from your Active Directory. Federated users are displayed with an asterisk (*) before their username (e.g., *john.doe@acme.com).
  6. Check in your Active Directory that the custom attribute (from Step #1 "Active Directory server environments" section) for at least 1 synced LastPass federated user is filled out by the Active Directory Connector and is displayed as a random string.
    • If the custom attribute is present in Active Directory = success – This confirms that the Active Directory Connector has write access for the custom attribute for all federated users – proceed to Step #5 to register your custom attribute.
    • If the custom attribute is empty in Active Directory = failure – This means the Active Directory Connector cannot write the custom attribute in Active Directory because the AD user running the LastPass Active Directory Connector does not have the "CONTROL ACCESS" permission assigned.
      Let's fix this!
      1. The AD user must stop the service and exit the LastPass Active Directory Connector application.
      2. Log in and access the LastPass Admin Console at https://lastpass.com/company/#!/dashboard.
      3. Go to Users in the left navigation, then select all of your newly populated federated users (displayed with an asterisk).
      4. Click the More icon Elipsis in the upper-right, then click Delete selected users and confirm (as they all have an empty custom attribute value).
      5. In Active Directory, grant the "CONTROL ACCESS" permission to the user who will run the LastPass Active Directory Connector.
      6. The AD user can now relaunch the LastPass Active Directory Connector application and start the service.
      7. Check in your Active Directory once again if the custom attribute is present for 1 of the synced LastPass federated users.

Step #5: Register your custom attribute with LastPass

Next, you will need to register the custom attribute (that you created or re-purposed and configured in Step #1) with LastPass by running the AD FS Plugin on your AD FS server, as follows:

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to SettingsFederated login in the left menu.
  3. In the "LastPass Custom Attribute Store" section at the bottom of the page, click either Download for ADFS Server 3.0(For Windows Server 2012 R2) or Download for ADFS Server 4.0 (for Windows Server 2016) and save the LastPass CustomAttributeStore.msi file.
  4. Log in to your primary Active Directory Federation Services (AD FS) server, then transfer the CustomAttributeStore.msi file onto the desktop of your AD FS server and double-click it to run it.
  5. Click Next.
  6. Enter your LastPass Enterprise Service Provider URL (from Step #3, Action #6), then enter your custom attribute value (from Step #1) and click Next.
  7. Click Finish when registration is complete.

AD FS Plugin Setup

Additional steps for AD FS farm environments:

  1. On the AD FS server, navigate to C:\Windows\ADFS where you installed the LastPass CustomAttributeStore.msi file.
  2. Copy the following files to all AD FS secondary servers' C:\Windows\ADFS folder:
    • LastPassADFS.dll
    • LastPassConfig.dll
    • LastPassLib.dll
    • LastPassLogger.dll
    • LastPassSettings.dll
    • BouncyCastle.Crypto.dll
    • NLog.dll
  3. Restart the AD FS Windows service on the secondary AD FS nodes.

Step #6: Apply Access Control Policy changes

The LastPass Custom Attribute Store installed “LastPassTrust” Relying Party Trust on your AD FS server(s).

  1. Log in to your primary Active Directory Federation Services (AD FS) server
  2. Navigate to your AD FS Management Settings.
  3. Go to Trust Relationships > Relying Party Trust in the left navigation, then follow the next steps based on your AD FS server version:
    • AD FS Server 3.0 – Windows Server 2012 R2
      1. In the "LastPass Trust" section in the right navigation, click Edit Claim Rules....
      2. Select the Issuance Authorization Rules tab and set your desired rule.
    • AD FS Server – 4.0 Windows Server 2016
      1. In the "LastPass Trust" section in the right navigation, click Edit Access Control Policy....
      2. Set your desired policy.

That's it! You have successfully set up federation services for your LastPass Enterprise account. All of your newly populated federated users will receive a Welcome email informing them that they can now log in and use LastPass. To see your end user's experience, please see Federated Login Experience for LastPass Enterprise Users.