HELP FILE

Set Up Simplified Federated Login for LastPass using AD FS

LastPass Enterprise and LastPass Identity accounts admins can set up and configure Active Directory Federation Services (AD FS) so that users can utilize their organization's Active Directory account to log in to LastPass without ever having to create a second Master Password.

Before you begin implementation...

  • Review the limitations that apply to federated user accounts.
  • It is highly recommended that you create a non-production Active Directory environment with Federation Services so that you can familiarize yourself with AD FS for LastPass Enterprise or LastPass Identity.
    • Your test environment should also include a non-production version of the components in Step #1 (including creating a separate LastPass Enterprise or LastPass Identity trial account for testing). Please follow all of the setup steps below using your non-production LastPass Enterprise or LastPass Identity account with your test environment first to avoid any unintentional user account data loss.
  • It is also highly recommended that you implement Multifactor Authentication for your users, however, please be aware of the following:
    • You must set up Multifactor Authentication at the Identity Provider level (AD FS), and not at the LastPass level (via the Admin Console and/or end user Account Settings). Using Multifactor Authentication within LastPass is not supported for federated users, and will result in those users being unable to access their Vault.
    • You cannot enforce Multifactor Authentication policies in the LastPass Admin Console because this authentication will occur outside of LastPass, between your Identity Provider (AD FS) and your authentication service. For this reason, we recommend enforcing Multifactor Authentication policies in AD FS.
  • By default, we recommend to use the company-wide key, as the steps outlined here do not require a change to your Active Directory Schema. If you still want to set up a unique key for each of your users, please follow these setup instructions.

Step #1: Ensure the required components checklist is complete

Before you can begin using Active Directory Federation Services with LastPass Enterprise or LastPass Identity, you must already have the following set up (for both non-production and live environments):

  • An active LastPass Enterprise or LastPass Identity account that includes:
    • At least 1 admin account enabled
    • A user seat count that matches (or exceeds) the user count that will be synced with your Active Directory (both non-production and live environments)

      Note: If you are testing in your non-production environment, it is recommended to set up a separate LastPass Enterprise or LastPass Identity test account, which you can register for here.

  • Active Directory server environments (both non-production and live) that meet the following requirements:
    • Both environments are set up and configured to use Federation Services (AD FS 3.0 or AD FS 4.0 on either Windows Server 2012 R2 or Windows Server 2016 with the latest updates installed, including .Net Framework)
    • Your firewall settings are configured to reach https://www.lastpass.com and its subdomains (*.lastpass.com) and you confirmed they are not blocked by any firewall rule on all of your AD FS servers.
  • The "Super Admin Master Password Reset" policy enabled
    • It is required that this policy is enabled on both the non-production and live versions of your LastPass Enterprise or LastPass Identity accounts (which allows you to reset a user's Master Password) – please note that for federated users, resetting their Master Password is the only way to convert them to a non-federated user status because the Master Password will no longer match that of which is stored in Active Directory – learn more

Once you have completed all of these requirements, you will need to capture several key pieces of information during the setup process.  Open a text editor application and prepare the following fields:

  • Company-wide key:
  • Identity Provider URL:
  • Identity Provider Public Key:
  • LastPass Assertion Consumer Service (ACS) URL:

After these fields have been prepared in your text editor, proceed to the next step.

Step #2: Capture your Identity Provider URL and Identity Provider Public Key

Next, you will need to log in to your Active Directory Federation Services (AD FS) server and obtain your full Identity Provider URL (Federation Service name + Endpoint Token Issuance URL Path), and your Identity Provider Public Key.

Identity Provider URL:

  1. Log in to your Active Directory Federation Services (AD FS) server and start the AD FS Management tool.
  2. Right-click on Service > Edit Federation Service Properties.
  3. On the General tab, copy the URL within the Federation Service name field (e.g., fs.fabrikam.com) and paste it into a text editor. Be sure that the Federation Service name you enter into your text editor begins with "https://" as it is required to be a secure protocol (e.g., https://fs.fabrikam.com).

Copy Federation Service Name

Endpoint Token Issuance URL Path:

  1. In the AD FS Management tool, go to ServiceEndpoints.
  2. In the Token Issuance section, locate the entry with SAML 2.0/WS-Federation listed in the "Type" column (e.g., adfs/ls is the default path, but can vary depending on your environment).
  3. Copy the value within the URL Path field and paste it into a text editor at the end of the Identity Provider URL path so that it looks like this: https:// <Federation Service name> + <Endpoint Token Issuance URL Path>. For example, all 3 components combined would be https://fs.fabrikam.com/adfs/ls as your full Identity Provider URL.

Copy AD FS Endpoint Token Issuance URL Path

Identity Provider Public Key:

  1. In the AD FS Management tool, go to ServiceCertificates.
  2. Right-click on the Token-signing Certificate entry and select View Certificate.
  3. Click on the Details tab, then click to select Public key.
  4. In the section below, highlight and copy the entire Public Key, then paste it into a text editor.

Once your full Identity Provider URL and Identity Provider Public Key have been recorded in a text editor, proceed to the next step.

Public Key from Details of Token-signing Certificate Properties

Additional step for AD FS farm environments:

  • Confirm that each AD FS node has the same Token-signing certificate.

Step #3: Configure your LastPass Enterprise or LastPass Identity Federated Login Settings

If you have already installed the LastPass Active Directory Connector, you must stop the service and exit the ADC application. You will need to start it at a later step.

Now that you have obtained all of the necessary information, you can configure your LastPass Enterprise or LastPass Identity Federated Login settings as follows:

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to SettingsFederated login in the left navigation.
  3. In the Provider URL field, paste your full Identity Provider URL (i.e., https:// + Federation Service name + Endpoint Token Issuance URL Path) that you obtained in Step #2.
  4. In the Public key field, paste your Identity Provider Public Key that you obtained from Step #2.
  5. Once all of the fields have been updated in both sections, an "Enabled" checkbox will be displayed in the "Configure AD FS" section. Check the box for the Enabled setting.
  6. Click Save Settings.
  7. Once saved, the LastPass Assertion Consumer Service (ACS) field below will be generated automatically. Copy your LastPass Assertion Consumer Service (ACS) URL and paste it into a text editor.

Step #4: Install the LastPass Active Directory Connector

TIP! Create a small control group of users in Active Directory to be used initially for the steps below.

  1. Install the LastPass Active Directory Connector (instructions here). If the LastPass AD Connector is already installed, you must restart the application before proceeding with changing the settings.
  2. Configure the LastPass Active Directory Connector by selecting ActionsWhen a user is detected in Active Directory > Automatically create user in LastPass (within your local non-production and live environments).

    WARNING!This option must be selected in order for federated users to be created via AD FS.

  3. Select AD FS in the left navigation, then click Edit.
  4. Click Generate New Secret.

    IMPORTANT!You must save the New Secret key (in the Company-wide key field) to a secure location. If you need to reinstall the LastPass AD Connector in the future, you must re-enter this same company-wide key again.

  5. Once all of the configurations are in place, select the Home tab in the left navigation of the LastPass AD Connector, then check the box for Enable sync to begin syncing.
  6. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  7. Go to Users in the left navigation to see your users populate as they are synced from your Active Directory. Federated users are displayed with an asterisk (*) before their username (e.g., *john.doe@acme.com).

Step #5: Register your Company-wide key with LastPass

Next, you will need to register the Company-wide key with LastPass by running the AD FS Plugin installer on your AD FS server.

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to SettingsFederated login in the left navigation.
  3. In the "LastPass Custom Attribute Store" section at the bottom of the page, click either Download for ADFS Server 3.0 (For Windows Server 2012 R2) or Download for ADFS Server 4.0 (for Windows Server 2016) and save the LastPass .MSI file.
  4. Log in to your primary Active Directory Federation Services (AD FS) server, then transfer the .MSI file onto the desktop of your AD FS server. Right-click on the file and select Run as Administrator, or execute the .MSI installer from an elevated command prompt. Click Yes if prompted by the User Account Control prompt.

    Note: The AD FS plugin .MSI installer must be run as an administrator or with elevated permissions, even if you are logged in as a domain admin.

  5. Click Next.
  6. Enter your LastPass Assertion Consumer Service (ACS) URL (from Step #3, Action #6), then enter your Company-wide key (from Step #4, Action #4) and click Next.
  7. Click Finish when registration is complete.
  8. Restart the AD FS Windows service. This is required.

Additional steps for AD FS farm environments:

  1. On the AD FS server, navigate to C:\Windows\ADFS where you installed the LastPass .MSI file.
  2. Copy the following files to all AD FS secondary servers' C:\Windows\ADFS folder:
    • LastPassADFS.dll
    • LastPassConfig.dll
    • LastPassLib.dll
    • LastPassLogger.dll
    • LastPassSettings.dll
    • BouncyCastle.Crypto.dll
    • NLog.dll
  3. Restart the AD FS Windows service on the secondary AD FS nodes. This is required.

Step #6: Apply Access Control Policy changes

The LastPass Custom Attribute Store installed “LastPass Trust” Relying Party Trust on your AD FS server(s).

  1. Log in to your primary Active Directory Federation Services (AD FS) server
  2. Navigate to your AD FS Management Settings.
  3. Go to Trust Relationships > Relying Party Trust in the left navigation, then follow the next steps based on your AD FS server version:
    • AD FS Server 3.0 – Windows Server 2012 R2
      1. In the "LastPass Trust" section in the right navigation, click Edit Claim Rules....
      2. Select the Issuance Authorization Rules tab and set your desired rule, which will define how users are authenticated when logging in to LastPass via federated log in using AD FS.
    • AD FS Server – 4.0 Windows Server 2016
      1. In the "LastPass Trust" section in the right navigation, click Edit Access Control Policy....
      2. Set your desired policy, which will define how users are authenticated when logging in to LastPass via federated log in using AD FS.

You're all set!

You have successfully set up Active Directory Federation Services (AD FS) for your LastPass Enterprise or LastPass Identity account. All of your newly populated federated users will receive a Welcome email informing them that they can now log in and use LastPass.