Set Up Federation Services for LastPass Enterprise
LastPass Enterprise account admins can set up and configure Active Directory Federation Services (AD FS) to be used to create new users via the LastPass Active Directory Connector as an automated means of provisioning. For users, this means that they will use their organization's Active Directory credentials to log in to LastPass without ever having to create a second Master Password.
Before you begin implementation...
It is highly recommended that you create a non-production Active Directory environment that has been set up to use Federation Services within your organization so that you can familiarize yourself with AD FS for LastPass Enterprise. Your test environment should also include a non-production version of the components in Step #1 (including creating a separate LastPass Enterprise trial account for testing), and it is recommended that you go through all steps below using your non-production LastPass Enterprise account with your test environment first to avoid any unintentional user account data loss.
Limitations that apply to federated users
The following LastPass Enterprise features have limitations that will apply to federated users only:
- Offline access – The client side (web browser extension) must remain online in order to obtain the user's encryption key and unlock the user's LastPass Vault. For this reason, offline login is not available.
- Linked personal account – Linked personal accounts are not supported for federated users. This means that a federated user cannot link their personal account to their LastPass Enterprise account. Learn more.
- One-Time Password – This feature is not available as the Master Password comes from the user's Active Directory environment, therefore they must authenticate using the password known by the Active Directory Federation Services.
- Account recovery – For federated users, the Master Password comes from the user's Active Directory environment. Therefore, password recovery can be done in either of the following ways:
- Password reset via the user's Active Directory or Federation Services user management
- Password reset using the "Super Admin Master Password Reset" policy within LastPass, however, this will convert a federated user to a non-federated user – for more information, please see Reset a User's Master Password (Super Admin) for more information
If a federated user is ever converted to a non-federated user, the limitations above will be lifted but the user's account will still be required to adhere to company policies that have been applied to their LastPass Enterprise account.
Additionally, only new users can be provisioned as federated users. To provision a federated user status to either an existing LastPass user (that has already created a Master Password) or a user whose Master Password must be reset (which will convert them to a non-federated user), their LastPass account must be deleted and recreated again as a federated user account.
To ensure that the user's LastPass account data can be fully restored without data loss during this process, it is required that the user logs in and exports their Vault prior to being deleted, as follows:
- Reset the user's Master Password.
- Once the user has logged in to their account, they must export their LastPass account data.
- When they confirm their account has been exported, you can then delete the user's account.
- The LastPass Active Directory Connector will detect them as a new user and provision them as a federated user.
- Once they log in to LastPass as a federated user (utilizing their current Active Directory credentials), they can import their LastPass account data to restore their Vault.
Before you can begin using Active Directory Federation Services with LastPass Enterprise, you must already have the following set up (for both non-production and live environments):
- An active LastPass Enterprise account for your live environment (and a separate LastPass Enterprise test account for testing in your non-production environment, which you can register for here), that includes:
- At least 1 admin account enabled
- A user seat count that matches (or exceeds) the user count that will be synced with your Active Directory (both non-production and live environments)
- Active Directory server environments (both non-production and live) that meet the following requirements:
- You have set up and configured both environments to use Federation Services (AD FS 3.0 or AD FS 4.0 on either Windows Server 2012 R2 or Windows Server 2016 with the latest updates installed, including .Net Framework)
- You have created a custom attribute field (or re-purposed an existing attribute that was available to customize) and it has been set as a confidential bit (which allows you to set the read permissions only for privileged admins) and confirmed that it is listed in both your non-production and live Active Directory environments
- The LastPass Active Directory Connector installed with the "Actions" setting configured to Automatically create new users in LastPass when a user in Active Directory is detected (within your local non-production and live environments)
Note: This option must be selected in order for federated users to be created via AD FS.
- The "Super Admin Master Password Reset" policy is enabled on both the non-production and live versions of your LastPass Enterprise accounts (which allows you to reset a user's Master Password) – please note that for federated users, resetting their Master Password is the only way to convert them to a non-federated user status because the Master Password will no longer match that of which is stored in Active Directory – learn more
Once you have completed all of these requirements, you will need to capture several key pieces of information to begin setting up AD FS for LastPass Enterprise. For this reason, we recommend that you open a text editor application and prepare the following fields:
- Active Directory Custom Attribute
- Identity Provider URL
- Identity Provider Public Key
- Service Provider URL
After these fields have been prepared in your text editor, proceed to the next step.
Next, you will need to log in to your Active Directory Federation Services (AD FS) server and obtain your full Identity Provider URL (Federation Service name + Endpoint Token Issuance URL Path), and your Identity Provider Public Key.
Identity Provider URL:
- Log in to your Active Directory Federation Services (AD FS) server and start the AD FS Management tool.
- Right-click on Service > Edit Federation Service Properties.
- On the General tab, copy the URL within the Federation Service name field (e.g., fs.fabrikam.com) and paste it into a text editor. Be sure that the Federation Service name you enter into your text editor begins with "https://" as it is required to be a secure protocol (e.g., https://fs.fabrikam.com).
Endpoint Token Issuance URL Path:
- In the AD FS Management tool, go to Service > Endpoints.
- In the Token Issuance section, locate the entry with SAML 2.0/WS-Federation listed in the "Type" column (e.g., adfs/ls is the default path, but can vary depending on your environment).
- Copy the value within the URL Path field and paste it into a text editor at the end of the Identity Provider URL path so that it looks like this: https:// <Federation Service name> + <Endpoint Token Issuance URL Path>. For example, all 3 components combined would be https://fs.fabrikam.com/adfs/ls as your full Identity Provider URL.
Identity Provider Public Key:
- In the AD FS Management tool, go to Service > Certificates.
- Right-click on the Token-signing Certificate entry and select View Certificate.
- Click on the Details tab, then click to select Public key.
- In the section below, highlight and copy the entire Public Key, then paste it into a text editor.
Once your full Identity Provider URL and Identity Provider Public Key have been recorded in a text editor, proceed to the next step.
Now that you have obtained all of the necessary information, you can configure your LastPass Enterprise Federated Login settings as follows:
- Log in and access the Admin Console.
- Go to Settings > Federated login in the left menu.
- In the Provider URL field, paste your full Identity Provider URL (i.e., https:// + Federation Service name + Endpoint Token Issuance URL Path) that you obtained in Step #2.
- In the Public key field, paste your Identity Provider Public Key that you obtained from Step #2.
- Click Save Settings.
- Once saved, the Service Provider URL field below will be generated automatically. Copy your Service Provider URL and paste it into a text editor.
- Add the custom attribute (that you created or re-purposed and configured in Step #1) in the "Configure AD Connector" section, then click Save.
- Once all of the fields have been updated in both sections, an "Enabled" checkbox will be displayed in the "Configure AD FS" section.
Finally, you will need to register the custom attribute (that you created or re-purposed and configured in Step #1) with LastPass by running the AD FS Plugin on your Active Directory server, as follows:
- Log in and access the Admin Console.
- Go to Settings > Federated login in the left menu.
- In the "LastPass Custom Attribute Store" section at the bottom of the page, click either Download for ADFS Server 3.0 or Download for ADFS Server 4.0 (depending on your AD FS server version) and save the LastPass CustomAttributeStore.msi file.
- Log in to your Active Directory Federation Services (AD FS) server, then transfer the CustomAttributeStore.msi file onto the desktop of your AD FS server and double-click it to run it.
- Click Next.
- Enter your LastPass Enterprise Service Provider URL (from Step #3, Action #6), then enter your custom attribute value (from Step #1) and click Next.
- Click Finish when registration is complete.
Once you register your custom attribute, the LastPass Active Directory Connector can create and provision new users with LastPass Enterprise, and allow them to authenticate using their existing Active Directory credentials when they log in to LastPass via the web browser extension. Your newly provisioned federated users will appear in your Admin Console's user list with an asterisk (*) before their username (e.g., *email@example.com) so they can be distinguished from non-federated users.
To see your end user's experience, please see Federated Login Experience for LastPass Enterprise Users.