The technical whitepaper on the website expand how the key is generated, broken up, and stored. There is also a technical limitations doc. I would also make sure to set up MFA within okta. Alternately, you can ensure people use lastpass by setting up SSO into okta through LastPass. Flip the script More on reddit.com

Enterprise vaults still have keys. It's just that the vault passwords are behind the scenes of the SSO federation. There is a LastPass whitepaper that describes how the vault keys work for several major IdPs. It looks like Reddit blocks the actual link hosted on lastpass.com, so just use your favorite search engine and search for "LastPass technical whitepaper."

For example, for organizations using Okta, there are two key parts for each vault:

K1: A single, randomly-generated, organization-wide key used by all federated users in that org that is stored in Okta.

K2: A randomly-generated, unique-per-vault key, stored with LastPass (but LastPass claims no evidence these were stolen).

An algorithmic operation - described in the whitepaper - runs K1 and K2 through an XOR operation, then a SHA-256 operation, then base64 to derive the single master key for a given vault in the org.

Because both K1 and K2 are randomly generated and go through the algorithmic operation, it is decidedly very difficult for anyone to guess at the key or brute force it. Nothing is impossible; however, and given infinite time and resources all the keys can and would be cracked.

More on reddit.com

SSO only applies to their work account. Personal account is secured with is own password and employees retain access after termination. No. If they are in the SSO group they have to use SSO Don't follow your question Yes. Don't worry. You can't lock yourself out because they do not allow you to enable SSO on the account owner We use AAD so can't speak to Okta. Yes. More on reddit.com

You mentioned secret password, port, IP, but the error still states it can be network connection. I would say take pcaps and follow the session details, make sure the Radius server is reachable from whatever interface it’s using for the service. Review the pcaps and look for the radius messages that the server sends, or whenever sends the problematic packet. Set authd on debug and follow it while you try an authentication. More on reddit.com