Part 1 – Configuration on LastPass Dashboard
- Open the LastPass Admin Dashboard. Select “Applications” from the left side menu and then select “Web App” from the submenu.
- Click on “+ Add SSO App” button from the upper right corner.
- A pop-up window will appear. Under the section: “Select your app”, click on “Search…” and type AWS to search the LastPass Catalog. Select AWS from the drop-down menu.
- Under the section: “Identity Provider”, you will find the required information such as “Entity ID”, “SSO End Point”, and “Logout URL”. Also, you can download the LastPass Metadata xml or Certificate file to your computer by clicking on the download arrow button next to “Metadata” or “Certificate”.
Part 2 – Configuration on AWS
- Log into Amazon Web Services Management Console as an administrator.
- Click on “Identity Providers” on the left side menu, then click on “Create Provider”.
- Choose “SAML” from the drop-down menu and click on “Next Step“.
- Enter “LastPass” as the Provider Name, then click on the “Choose File” to upload the Metadata file that you downloaded in part 1. Once uploaded, click on the “Next Step” button.
- Click on the “Create” button, on the bottom right corner of the page.
- At this point, you have completed creating a SAML provider. All you need is to create a role.
- From the left side menu, click on “Roles”. If you have already created roles, select one. If you don’t have any roles, click on “Create Role” to create one.
- Select “SAML 2.0 federation“.
- Select “LastPass” as the SAML provider and check “Allow programmatic and AWS Management Console access“. Then click on “Next Permission“.
- Select one or more policies (we selected administrator access in this tutorial) and click on the “Next: Tags” button.
- First, select a “Role name” and click on the “Next Step”.
- Click on your created role name. In the Summary section, click on the Trusted relationship tab and copy “Role ARN” and “Trusted Entities” values.
Part 3 – Finalizing SSO Configuration
- Go back to the browser tab where you have the LastPass Admin Dashboard open.
- Expand the Service Provider section, paste the following URL into the ACS URL text box:
- Expand the Custom Attributes section, paste the following information:
Attribute 1: Constant Value
SAML Attribute name: https://aws.amazon.com/SAML/Attributes/Role
Constant value: “Role ARN” copied from AWS dashboard + “,” + “Trusted Entity” copied from AWS dashboard.
- Click on “Save”.
AWS is now configured! At this point, you can assign users, groups or organizational units to AWS. Please see the Assign Users page for instructions.