HELP FILE

Set Up Single Sign-On for LastPass

LastPass Single Sign-on allows you to utilize your LastPass account as the central point of authentication for a various domains and associated services.

LastPass Single Sign-on is powered by SAML 2.0, which allows your employees to access their favorite services simply by being logged in to LastPass. Once logged in to LastPass, your users can navigate to the service’s URL and bypass the login screen altogether. The authentication will take place on the backend between LastPass (the Identity Provider) and the desired application (the Service Provider). All access rights will be managed centrally by your LastPass administrators via the Admin Console.

Note: Using SAML does not prevent you from logging into the same service using your previously established username and password (if applicable), which includes logging in to the service using a mobile device.

Topics in this article:

Set up single sign-on

Use the SAML Usermap

Set up SAML-based provisioning

Set up single sign-on

LastPass Enterprise provides single sign-on support for various services that use SAML as a means of authentication. Once set up, your users only need to be logged in to their LastPass account in order to easily access these services without being prompted for a service provider's password. If the service you want to use single sign-on for is not listed, you can create your own custom service for your LastPass Enterprise account.

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Go to SSO > SAML in the left menu.
  3. Select your desired service provider, or select Custom Service to set up another service provider that does not already have a template.
  4. Click Add New Domain, then follow the remaining instructions on your selected SAML service provider setup page, as the steps will vary depending on the service you've chosen.

Use the SAML Usermap

If you have users whose single sign-on service provider account username does not match their LastPass account username, you can map the two usernames together per application, as follows:

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Go to SSO > SAML Usermap in the left menu.
  3. Select your desired Entity-ID (service).
  4. Next, select the LastPass username of your desired user.
  5. Finally, enter the username that is used for the user's single sign-on service.
  6. Click Submit to map the two usernames.

Set up SAML-based provisioning

For some service providers, user accounts for LastPass can be created (provisioned) automatically at the service provider level upon the first time logging in to their supported single sign-on service. Likewise, when a user is deleted from the LastPass user database, LastPass can remove (deprovision) that account from the service, if the service supports it.

The following services support automatic SAML-based provisioning:

  • Amazon Web Services
  • Box
  • Confluence
  • Google Apps
  • Jira
  • Joomla
  • Salesforce
  • Slack
  • WordPress
  • Zendesk

To set up provisioning for a supported single sign-on service, do the following:

  1. Go to https://lastpass.com/company/#!/dashboard and log in to access the Admin Console.
  2. Go to SSO > SAML Provisioning in the left menu.
  3. Select your desired service provider.
  4. Click Add New Domain, then follow the remaining instructions on your selected SAML service provider setup page, as the steps will vary depending on the service you've chosen.