Federated Login integrates an identity provider (IDP) into a password manager, allowing your end-users to authenticate with IDP credentials (think of your current source of truth: Microsoft Active Directory, Azure AD, Okta, OneLogin, Google Workspace, etc.). This removes the need for your employees to create an additional master password when setting up LastPass.
To better understand how Federated Login can help meet your password security goals faster by automating your identity management, let's first look at how to integrate your Directory with LastPass. Then, we’ll explore LastPass’ approach to Federated Login and its unique proprietary security infrastructure.
Integrate your Directory
To implement Federation Integration, you’ll need to sync with your Directory first. This important step should be done natively to eliminate the need for additional configuration and overhead later.
While LastPass integrates with IDPs, it is natively an IDP in its own right. As a result, LastPass’s directory integration is more robust due to the use of a Directory connector as opposed to a PowerShell script/connector deployment.
LastPass provides its Directory connector to synchronize user profiles from an on-premise application. For cloud IDPs, such a tool is not needed – the integration happens after simply configuring the IDP and LastPass.
After setup, the admins do not need to run or maintain anything. This means, once you’ve set up your directory integration and federated your users, you won’t have additional tools, technology, or scripts to manage and maintain. Simply set up and go!
By integrating your Directory with LastPass, you’re taking an important first step toward simplified user access and added security by enabling automated provisioning and deprovisioning of users.
Now, let’s explore LastPass’ zero-knowledge security infrastructure when federating users.
What is LastPass’s unique approach to Federated Login?
In contrast with other approaches, LastPass’s Federated Login has a zero-knowledge infrastructure, which means that neither party – neither LastPass nor your IDP – possesses enough information to be able to access a user's vault. Instead, LastPass generates a master password for a federated user, divides it into multiple parts, and stores those parts in separate locations.
After successful authentication with your IDP, the user's local machine receives the password parts and combines them to recreate the master password. The local machine then applies the master password to decrypt the password vault.
Other than the user’s local device, no single component has all the necessary information to recreate the master password, thereby preserving the zero-knowledge infrastructure. Moreover, each of the key parts itself is insufficient to unlock the password vault.
With LastPass’s zero-knowledge security infrastructure, your IT team can implement additional layers of security without adding complexities for your end users. Simplifying the enrollment process and eliminating the need for a master password provides your employees with an immediate and simple way to access their critical credentials, alleviating login frustrations. With the
most trusted password manager, you can rest assured that your data is the most secure.
Additionally, you can now sync your directory and configure federation in the new Admin Console. New user statuses will also highlight which users are federated.
With added security for your business and simplified access for your employees, LastPass’s Federated Login keeps hackers out and employees happy.
Learn more about LastPass’s Federated Login
here.
