HELP FILE

Which automated provisioning service is right for me?

If you determined in Add Users and Admins that an automated provisioning service best suits your organization, let's review each one in detail so that you can make an informed decision about the service you choose.

Topics in this article:

LastPass Active Directory Connector service

LastPass Provisioning API

Windows Login Integration

LastPass Active Directory Connector service

The LastPass Active Directory Connector (AD Connector) sync client is a Windows service that is run locally and can be downloaded from the Admin Console. It connects to your Active Directory environment to support a variety of provisioning and management processes in LastPass.

Using the Active Directory Connector service, you can:

  • Feed relevant information from your user directory into LastPass.
  • Sync new user profiles to LastPass for automated provisioning of LastPass user accounts.
  • Sync disabled or deleted user profiles to LastPass for automated termination of LastPass user accounts.
  • Create nested groups to manage permissions at the group level.
  • Sync user groups to LastPass for policy designations, Shared Folders, and SAML application assignments.
  • Apply filters based on your groups so that only members of the relevant groups sync to LastPass.
  • Provisioning for a number of cloud-based applications, including Google Apps and Salesforce.com. Once set up, when users are added in your Active Directory, a LastPass account will be created on their behalf. No local provisioning necessary.

Out of the box, the Active Directory Connector will automatically track changes to your Active Directory or LDAP server (e.g., adding a new user, removing/disable existing users, changing user groups for a user, etc.) and invoke appropriate actions for LastPass accounts. Similarly, if you delete or disable a user in Active Directory, the associated LastPass account will also be disabled.
For more information, please see our Active Directory Connector FAQs. If you have decided this provisioning option is right for you, you can learn how to install and set up the LastPass Active Directory Connector service.

LastPass Provisioning API

LastPass exposes a public API that can be used by LastPass Enterprise accounts to create users, deprovision users, and manage groups via a REST web service interface. The LastPass Provisioning API is powerful, and includes many configuration settings that can be customized.

The main difference between this option and the Active Directory Connector is that the LastPass Provisioning API requires some coding on your part to avoid having duplicate actions occur, whereas the ADC requires zero coding or integration.

If you have decided this provisioning option is right for you, you can learn how to get started with setting it up.

Windows Login Integration

LastPass can invisibly integrate with the standard Windows Login process to automatically create new users and sign existing users in. To do this, we install a DLL that hooks the Windows login flow using sanctioned/standard Windows protocols. When LastPass receive the password, it is instantly hashed and then the hash is used to create the user’s LastPass credentials. LastPass never stores anything on disk and are careful to not leave anything in memory.

With the Windows Login integration, users within the LastPass Enterprise system will be provisioned using their Windows username followed by the @companydomain.com address that your organization uses (e.g., janedoe@lastpass.com). New users to LastPass will be created upon their first login to the Windows domain after setting up the Windows Login integration with LastPass. From that point on, users will log in to the Windows domain as they normally would, and will automatically be logged into LastPass as well.

If you have decided this provisioning option is right for you, you can learn how to get started with setting it up.