LastPass - NetID Logout Procedure

Users who leverage NetID to login to LastPass need to take extra steps to fully logout, because NetID is a Single Sign-on (SSO) implementation. Logging out of LastPass doesn’t terminate the SSO session because Single Logout is not possible with the UW NetID Login Service.

Single Sign-on

Single sign-on is an authentication scheme that allows a user to log in with a single ID (NetID at UW-Madison) to any of several related, yet independent, software systems. Single sign-on allows the user to log in once and access services without re-entering authentication factors. LastPass is currently configured to leverage NetID for SSO authentication like many other services at UW-Madison. Once logged into LastPass with NetID the user's browser maintains a SSO session, allowing them to log into other applications using the same browser without having to re-enter their NetID credentials. Similarly, this means that once a user has logged into another service with NetID, they could login into LastPass without being prompted for their NetID credentials. Users who want to ensure they are fully logged out of LastPass need to take extra steps to end their SSO session because NetID doesn't use Single Logout.

No Single Logout

Single Logout in the context of the UW NetID Login Service would be the action of clicking a Logout link or button that would cause the user to be logged out of all NetID Login-protected applications at once.  Currently, Single Logout is not possible in the UW NetID Login Service.  There are many reasons for this, and if you're interested in details this document provides a good overview.

The only complete NetID logout is closing the browser and clearing all session cookies, which is the end user's responsibility.  End users can review instructions on clearing cookies and making sure their browser is safely configured here: NetID Login Service - Logout Procedure.

Security Considerations

Users who frequently use a shared workstation, kiosks, or other devices that can be accessed by multiple users may want to consider using a Master Password for LastPass. (We prefer "primary" to "master," but LastPass uses "master." Therefore we've done so as well to avoid confusion.) A Master Password can be used in place of NetID login to LastPass and is not a Single Sign-on mechanism. Users who have a Master Password will always be prompted to re-enter it after they logout and will not need to clear cookies or close their browser to ensure they're fully logged out. There are other considerations to consider when determining your preferred authentication method for LastPass and the following documents can help:

Changing LastPass Authentication

We recommend users leverage NetID for LastPass authentication, however each user is able to make their own decision about which method (NetID, Master Password) is best for them. If you'd like to change your authentication method, please email the DoIT Help Desk with your request. For current Master Password users, additional details on converting to leverage NetID can be found here: LastPass - Converting to NetID Login



KeywordsLastPass, NetID, Single sign-on, Single Logout, authentication, login, logout, SSO   Doc ID123832
OwnerPeter V.GroupCybersecurity
Created2023-02-03 09:31:36Updated2023-02-03 10:39:21
SitesCybersecurity Operations Center, DoIT Help Desk, Office of Cybersecurity
Feedback  0   0