Product Communities
Sign In Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Getting started | Community guidelines
Announcements

For more information about the LastPass security incident please visit our blog

Tinchosaurus
New Contributor

Super Admin accounts cannot be federated?

We just enabled Okta integration with LastPass and were trying to change some users to be Federated.

I saw that for myself the option was not available (even though under the "Federated" column it says "Not Selected" and not "Not Eligible" like it shows for some users). I thought it was because I was logged in so it would make sense that I cannot make a change on myself, but then I saw that the option was also not available for other users, and the only thing these have in common (at first glance) is that they are all Super Admins.

Couldn't find this under the limitations for federated log in. So I'm wondering what's happening here.

‎01-13-2022 01:28 PM
Labels:
0 Kudos
Reply
4 REPLIES 4
wreade
New Contributor

Re: Super Admin accounts cannot be federated?

I have this same question. I have two super admins for which I can't enable federated login.

‎01-18-2022 09:32 AM
0 Kudos
Reply
J_Lim
GoTo Contributor
GoTo Contributor

Re: Super Admin accounts cannot be federated?

The reason why super admins accounts cannot be federated is to allow SuperAdmins to be able to login in the event your IDP (Okta) is down or whatever issues you might have with your federation.  

 

In a federated environment, the users' hidden master password is stored in the directory.  If all your users (incl super admins) is federated, and if your federation is broken/down, then everyone will be locked out.

 

The un-federated super admins can still login with MP and with this, you can un-federate a user back to MP. 

‎02-08-2022 11:45 PM
0 Kudos
Reply
Tinchosaurus
New Contributor

Re: Super Admin accounts cannot be federated?

Hi,

So I opened a support ticket with LastPass and they told me that actually is not that super admins cannot be federated, but that any admin that have the policy to reset a user's master passwords cannot be federated. In our case, all super admins have that policy enabled for them so if I remove one of them from the policy, then I am able to federate them.

‎02-09-2022 12:01 AM
0 Kudos
Reply
J_Lim
GoTo Contributor
GoTo Contributor

Re: Super Admin accounts cannot be federated?

Hi,

 

Yes, you have "admin" and "super admin". 

 

You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for emergency scenarios.

 

Super admins have all of the same permissions as admins, as well as:

  • Master password reset on any user's vault
  • Access to all shared folders across the company

You can federate "admins" but not "super admins".

‎02-09-2022 12:09 AM
Reply
About Us
Terms of Service
NEW Privacy Policy
Trademark
© 2023 LogMeIn, Inc. All Rights Reserved