HELP FILE

What are the limitations for LastPass Enterprise users with federated login?

The following LastPass Enterprise features have limitations that will apply to users whose accounts are configured for federated login using AD FS.

In this set of instructions, AD FS is defined as the Identity Provider (IdP) used for authentication.

  • No Offline access – The client side (web browser extension) must remain online in order to obtain the user's encryption key and unlock the user's LastPass Vault. For this reason, offline login is not available.
  • No One-Time Password – This feature is not available as the Master Password comes from the user's Active Directory (AD FS) environment.
  • Limited Account recovery options – For federated users, the Master Password comes from the user's Active Directory environment. Therefore, password recovery can be done in either of the following ways:
    • Password reset via the user's Active Directory user management
    • Password reset using the "Super Admin Master Password Reset" policy within LastPass, however, this will change the user's status from federated to non-federated – please see Reset a User's Master Password (Super Admin) for more information.
  • No Multifactor Authentication enabled within LastPass – Multifactor Authentication must be set up at the Identity Service Provider level (AD FS), not at the LastPass level. It must be disabled within the LastPass Admin Console (learn how here) and end user Account Settings (learn how here). If enabled within LastPass, it will result in federated users being unable to access their Vault.
  • No Multifactor Authentication policies enforced within LastPass – You must disable all Multifactor Authentication policies in the LastPass Admin Console (learn how here) because this authentication occurs at the Identity Provider (AD FS) level. If even one Multifactor Authentication policy is enabled in LastPass, it will result in federated users being unable to access their Vault.
  • Only Service Provider single sign-on (SSO) is supported – This means that you must always begin the login process from a LastPass component (e.g., web browser extension, mobile app, or desktop app) in order to be redirected to your organization's Identity Provider (AD FS) sign in page. Logging in via the LastPass website at https://lastpass.com/?ac=1 is not supported for federated users.

Please note that if a user's status changes from federated to non-federated (e.g., due to a Master Password reset), the limitations listed above will be lifted but the user will still be required to adhere to company policies that have been applied to their LastPass Enterprise account. Learn how these users can become federated users again without the risk of data loss.

Related

Set Up Federated Login for LastPass Enterprise using AD FS

How do I confirm that my custom attribute is listed in my Active Directory?

Troubleshooting Federated Login for Active Directory Federation Services (AD FS)

Federated Login Experience for LastPass Enterprise Users

How do I convert an existing LastPass Enterprise user to a federated (AD FS) user?