Set Up SCIM Provisioning for LastPass Using Okta
IT admins can easily benefit from secure administration of LastPass Enterprise and LastPass Identity accounts by using our Okta integration, which offers:
- Secure configuration and deployment of LastPass
- Automated provisioning of LastPass user accounts
- Real-time deprovisioning of LastPass user accounts
- Assigning LastPass access to groups in Okta
Syncing your Okta user directory with LastPass requires the following:
- An active Okta provisioning subscription
- An active trial or paid LastPass Enterprise or LastPass Identity account
- An active LastPass Enterprise or LastPass Identity admin (required when activating your trial)
The SCIM endpoint used to integrate LastPass with Okta does not require any software installation.
Completing only the SCIM Provisioning steps for Okta (outlined in the Okta SCIM Integration Guide for LastPass) will still require the user to create and remember a separate Master Password to log in to LastPass, which is used to create the unique encryption key for their LastPass Vault.
LastPass does support federated login with Okta, which allows users to log into LastPass using their Okta account. To set up federated login with Okta, please see the Set Up Federated Login for LastPass Using Okta article.
To register and integrate your LastPass Enterprise or LastPass Identity account with Okta, complete all of the steps in the Okta SCIM Integration Guide.
Do groups in Okta sync to the LastPass Admin Console?
- Yes. You can assign LastPass provisioning to specific groups in the Okta dashboard, and groups themselves are synced from Okta to LastPass.
Can I assign more than one group to LastPass?
- Yes, you can assign as many custom groups to LastPass in the Okta dashboard as needed.
If I update a group in Okta, are the changes reflected in LastPass?
- If you add or remove users to a group in Okta, the change will be reflected in LastPass and an account will be provisioned or deprovisioned as needed.
Can users log in to LastPass with their Okta password with these instructions?
- Not with these instructions – following the instructions in the Okta SCIM Integration Guide still requires users to create a separate LastPass Master Password when they receive their account invitation.
- However, federated login using Okta is supported, which allows users to log in to LastPass using their Okta account – no separate Master Password required! For those setup instructions, please see Set Up Federated Login for LastPass Using Okta.
Can I choose to have users added to the Pending Approval tab in the Admin Console?
- No, users are automatically provisioned and will appear as live users.
How can I test that the integration is syncing correctly?
- When first deploying LastPass Enterprise or LastPass Identity with Okta, you can set up a small test group in Okta. Once you’ve confirmed that provisioning is working as expected, you can test adding and removing people in the test group. Once all testing is successful, you can then assign LastPass to all groups, or the specific groups that will be using LastPass.