Part 1 – Configuration on LastPass Dashboard
  • Open the LastPass Admin Dashboard. Select “Applications” from the left side menu and then select “Web App” from the submenu.

LastPass Web Applications


  • Click on “+ Add SSO App” button from the upper right corner.

Add SSO application


  • A pop-up window will appear. Under the section: “Select your app”, click on “Search…” and type AWS to search the LastPass Catalog. Select AWS from the drop-down menu.

SSO App Catalog


  • Under the section: “Identity Provider”, you will find the required information such as “Entity ID”, “SSO End Point”, and “Logout URL”. Also, you can download the LastPass Metadata xml or Certificate file to your computer by clicking on the download arrow button next to “Metadata” or “Certificate”.

SSO Identity Provider


Part 2 – Configuration on AWS
  •  Click on “Services“. Under the “Security and Identity” section of the console, click on “Identity & Access Management”.



  •  Click on “Identity Providers” on the left side menu,  then click on “Create Provider”.



  • Choose “SAML” from the drop-down menu and click on “Next Step“.


  •  Enter “LastPass” as the Provider Name, then click on the “Choose File” to upload the Metadata file that you downloaded in part 1. Once uploaded, click on the “Next Step” button.

AWS IdP Provider


  •  Click on the “Create” button, on the bottom right corner of the page.


  • At this point, you have completed creating a SAML provider. All you need is to create a role.
  • From the left side menu, click on “Roles”. If you have already created roles, select one. If you don’t have any roles, click on “Create Role” to create one.



  • Select “SAML 2.0 federation“.



  • Select “LastPass” as the SAML provider and check “Allow programmatic and AWS Management Console access“. Then click on “Next Permission“.

AWS Role Setting


  • Select one or more policies (we selected administrator access in this tutorial) and click on the “Next: Tags” button.

AWS role permission


  •  First, select a “Role name” and click on the “Next Step”.


  • Click on your created role name. In the Summary section, click on the Trusted relationship tab and copy “Role ARN” and “Trusted Entities” values.

AWS Role Summary


Part 3 – Finalizing SSO Configuration
  • Go back to the browser tab where you have the LastPass Admin Dashboard open.
  • Expand the Service Provider section, paste the following URL into the ACS URL text box:

SSO app Service Provider


  •  Expand the Custom Attributes section, paste the following information:

Attribute 1: Constant Value
SAML Attribute name:
Constant value: “Role ARN”  copied from AWS dashboard +  “,”  + “Trusted Entity” copied from AWS dashboard.
Example: arn:aws:iam::**************role/admin,arn:aws:iam::**************saml-provider/identity.lastPass

AWS custom attributes


  • Click on “Save”.

AWS is now configured! At this point, you can assign users, groups or organizational units to AWS. Please see the Assign Users page for instructions.