WorkOS Docs Homepage
Integrations

LastPass

Learn how to configure a connection to LastPass via SAML.

Each SSO Identity Provider requires specific information to create and configure a new Connection. Often, the information required to create a Connection will differ by Identity Provider.

To create a LastPass SAML Connection, you’ll need an IdP Metadata XML file.

Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.

Select the organization you’d like to configure a LastPass SAML Connection for, and select “Manually Configure Connection” under “Identity Provider”.

A screenshot showing where to find "Manually Configure Connection" in the WorkOS Dashboard.

Select “LastPass SAML” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.

A screenshot showing "Create Connection" details in the WorkOS Dashboard.

WorkOS provides the ACS URL, SP Entity ID, and SP Metadata URL. They’re readily available in your Connection Settings in the WorkOS Dashboard.

A screenshot showing where to find the ACS URL, SP Metadata, and SP Entity ID in the WorkOS Dashboard.

Next, provide the IdP Metadata file. Normally, this information will come from your enterprise customer’s IT Management team when they set up your application’s SAML 2.0 configuration in their LastPass admin console. But, should that not be the case during your setup, the next steps will show you how to obtain it.

Log in to LastPass, go to the admin console and select “Applications” on the top navigation. Then select “SSO apps” from the left side navigation. If your application is already created, select it from the list of applications and move to Step 2. Otherwise, select “Add app”.

A screenshot showing "Add app" in the "SSO apps" section of the Applications tab in the LastPass admin dashboard.

In the modal that pops up, click on “Add an unlisted app”.

A screenshot showing the selection of "Add an Unlisted App" for the creation of a new SSO app.

Give your SAML App a descriptive name and select “Continue”.

A screenshot showing how to add the name for a new SSO app.

Under the “Set up LastPass” section of the “Configure app” modal, input the ACS URL from the WorkOS Dashboard Connection details under “ACS”. Then click on “Advanced Settings”.

A screenshot showing where to add the ACS URL during the configuration app step in LastPass SAML Settings.

Under “Entity ID”, input the SP Entity ID from the WorkOS Dashboard Connection details. Next, under “SAML signature method”, select “SHA256”.

A screenshot showing where to add the Entity ID during the configuration app step in LastPass SAML Settings.

Under “Signing and encryption”, ensure that you have at least selected “Sign assertion”. Then, click on “Add SAML attribute”.

A screenshot showing to select "Sign assertion" checkbox option for "Signing and encryption" in LastPass SAML Settings.

Map the following four attributes as shown below, and select “Save & assign users”.

  • First Name → firstName
  • Last Name → lastName
  • Email → email
  • User ID → id
A screenshot showing hot to add Attribute Mapping for a LastPass SAML app.

With identity provider role assignment, users can receive roles within your application based on their group memberships. To return this information in the attribute statement, add a new SAML attribute for the “Groups” field and input groups as the attribute name, as shown below. Then, select “Save & assign users”.

A screenshot showing how to add a groups attribute to a LastPass SAML app.

Finish role assignment set-up by navigating to the Connection page in the Organization section of the WorkOS Dashboard. Create connection groups referencing the group IdP ID. Then, assign roles to connection groups so users in those groups will automatically be granted roles within your application.

On the “Users, groups & roles” page, click on “Assign users, groups & roles”.

A screenshot showing to select "Assign users, groups & roles" for your LastPass SAML app.

Search and select any users or groups that you would like to provision to this SAML app. Then, click “Assign”.

A screenshot showing to select Users and Groups in LastPass.

Click on “Save & continue”.

A screenshot showing where to save and move to next steps in LastPass.

Back on the “SSO apps” tab of the LastPass admin console, select the SAML app that you just created.

!A screenshot showing where how to select SAML App in LastPass.](https://workos.imgix.net/images/99a9a771-02bc-4817-b576-414bafa2d6f2.png?auto=format&fit=clip&q=50)

On the “Configure app” modal, click on “Expand” to the right of “Set up app”.

A screenshot showing how to expand Set Up App in LastPass.

At the bottom of the “Set up app” section, click on “Download metadata (XML)”. Save the downloaded XML metadata somewhere accessible.

A screenshot showing where to download Metadata File in LastPass.

In the Connection settings in the WorkOS Dashboard, click “Edit Metadata Configuration”.

A screenshot showing where to edit Metadata Configuration in WorkOS Dashboard.

Upload the XML metadata file from LastPass into the “Metadata File” field and select “Save Metadata Configuration”.

A screenshot showing a successful upload of the Metadata File in WorkOS Dashboard.

Your Connection will then be linked and good to go!