We just enabled Okta integration with LastPass and were trying to change some users to be Federated.
I saw that for myself the option was not available (even though under the "Federated" column it says "Not Selected" and not "Not Eligible" like it shows for some users). I thought it was because I was logged in so it would make sense that I cannot make a change on myself, but then I saw that the option was also not available for other users, and the only thing these have in common (at first glance) is that they are all Super Admins.
Couldn't find this under the limitations for federated log in. So I'm wondering what's happening here.
The reason why super admins accounts cannot be federated is to allow SuperAdmins to be able to login in the event your IDP (Okta) is down or whatever issues you might have with your federation.
In a federated environment, the users' hidden master password is stored in the directory. If all your users (incl super admins) is federated, and if your federation is broken/down, then everyone will be locked out.
The un-federated super admins can still login with MP and with this, you can un-federate a user back to MP.
So I opened a support ticket with LastPass and they told me that actually is not that super admins cannot be federated, but that any admin that have the policy to reset a user's master passwords cannot be federated. In our case, all super admins have that policy enabled for them so if I remove one of them from the policy, then I am able to federate them.
Yes, you have "admin" and "super admin".
You’ll likely only have one or two super admins who have the most privileged access to LastPass, particularly for emergency scenarios.
Super admins have all of the same permissions as admins, as well as:
You can federate "admins" but not "super admins".