Manage enterprise connections
Auth and access
If you use LastPass to centralize authentication and authorization in your business, you can integrate Kinde as a service provider for these processes. This gives you the benefits of Kinde’s robust auth capabilities, while keeping the familiar LastPass structure.
Here’s what you need to do before you add the connection:
Depending on your SAML set up, you may need to include advanced configurations for your connection. See Advanced SAML configurations
You can make a connection available only to a specific organization, or you can create it so it can be used across any organization in your business.
Enter a name for the connection. It should match the connection name in LastPass.
Enter a random string value for Entity ID, for e.g. 870sa9fbasfasdas23aghkhc12zasfnasd
.
Enter the IdP metadata URL. This URL comes from your identity provider.
Enter a sign in URL if your IdP requires a specific URL.
If you want, select the Sign request algorithm and Protocol binding. The options you choose will depend on what your identity provider prefers or requires.
Select Email
as the Name ID format. This helps identify and link user identities between your IdP and Kinde.
Enter emailAddress
as the Email key attribute. This is the attribute in the SAML token that contains the user’s email. Setting this value ensures that the email address returned in the SAML response is correctly retrieved.
(Optional) Add a first name and last name key attribute. This is not necessary for LastPass.
Enter any relevant Home realm domains. This is how SAML recognizes a user’s credentials and routes them to the correct sign in page. Note that home realm domains need to be unique across all connections in an environment. Read more about home realm domains.
If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the Always show sign-in button option.
Copy the relevant reply URL:
If you want to enable just-in-time (JIT) provisioning for users, select the Create a user record in Kinde option. This saves time adding users manually or via API later.
(Temporary feature) Select if you want to treat this connection as a trusted provider. A trusted provider is one that guarantees the email they issue is verified.
(Optional) In the Sign SAML request section, paste in the Signed certificate and Private key. You may have got these from your IdP or you may have generated yourself (see procedure above).
Enter any upstream params that you want to pass to the identity provider. Not all providers support this, so check their documentation first.
Select Save.
View the LastPass docs for the full procedure.
Sign in to your LastPass business account.
In the menu, select AdminConsole.
Go to Applications, then select SSO apps.
Select Search the catalogue. A side panel slides out.
Follow the prompt to initialize SAML keys. This will take up to 15 minutes to process.
Refresh the page and select Search the catalogue again. The side panel slides out showing a list.
Scroll and select Custom service.
Select Add a new domain if prompted. The configuration panel opens.
Enter a Name and select which groups will be able to sign in using this SSO connection.
At the top of the Configuration section select Export SAML IdP Metadata.
Select Copy or download, then select OK.
In the Service Provider entity ID field, enter the random ID you generated for the Entity ID in Kinde.
In the Assertion consumer service field, enter the ACS URL or your custom domain, from Kinde.
Make sure the Name ID format is emailAddress
and the Name ID is `Email address’.
Enter any custom attributes required.
Select View key under the Key field.
Copy the key. You will need this to finishe setting up the Kinde connection.
Make sure the Service is enabled option is selected.
Select Save.
Test the connection works by trying to sign in to your test environment using this method. Re-test when you deploy the option to users.