Passport Configuration with Google Workspace

By Shannon Poole

Learn how to create a Secure LDAP configuration in Google Workspace to be used when configuring Kandji Passport

Before you Begin

  • Your organization's Google Workspace instance needs to support Secure Lightweight Directory Access Protocol (LDAP). Business Starter, Business Standard, and Nonprofit licenses do not support Secure LDAP.
  • You need access to your organization's super administrator account.
  • If your web browser automatically uncompresses .zip files, temporarily change that setting and download the file again, or compress the uncompressed folder before you upload it to your Passport library item.

Create a Secure LDAP Client and Download the Certificate

Passport uses Secure LDAP to communicate with Google to confirm login credentials and gather basic user and group information. When you create a new Secure LDAP client in Google Workspace, you'll download a certificate to secure communications and turn the service on.

  1. In a web browser, use your organization's super administrator account to sign in to your organization's Google Admin console at
  2. In the left sidebar, click Apps.
  3. In the Apps section, click LDAP (if LDAP does not appear, it's possible that your organization has the Business Starter or Business Standard editions of Google Workspace, which does not offer Secure LDAP service).
  4. If you don't yet have any LDAP clients configured, then click Add LDAP Client.
    If you already have one or LDAP clients configured, then in the upper-right corner, click Add Client.
  5. In the LDAP client name field, enter a name like Kandji Passport.
  6. In the Description field, enter a description like Kandji Passport for keeping Mac passwords in sync with Google passwords.
  7. Click Continue.
  8. In the Verify user credentials section, select either Entire domain, or if you want to limit Passport to certain accounts, select Selected organization units, groups, and excluded groups.
  9. In the Read user information section, configure the same settings as you did in the previous step.
  10. Confirm that the checkbox for System Attributes is selected so that Passport can read the default user attributes.
  11. Leave the two remaining checkboxes deselected; Passport will not use custom user attributes.
  12. In the Read group information section, turn the slider to On so you can configure Passport to use a user's Google Workspace group information to dynamically convert their local Mac account between standard and administrator privileges when they log in. You can turn this option on later if you don't turn it on now.
  13. Review your configuration, then click Add LDAP Client.
  14. Click the Download certificate link.
  15. Click Continue to Client Details.
  16. In the upper-right corner, click Off or the disclosure triangle to get to the screen where you can turn on the service.
  17. In the Service status field, select On for everyone.
  18. Click Save.

Re-download Your Secure LDAP Certificate (optional)

After you configure the LDAP client in the previous section, you can always download the certificate that's used to secure the LDAP communication between Passport and Google. There are many other options, including renaming a certificate, generating additional certificates, and deleting a certificate.

  1. In a web browser, use your organization's super administrator account to sign in to your organization's Google Admin console at
  2. In the left sidebar, click Apps.
  3. In the Apps section, click LDAP.
  4. In the list of LDAP clients, select the LDAP client you created for use with Passport.
  5. Click anywhere in the Authentication section.
  6. In the Certificates section, click the Download button.
  • You can leave the Access credentials section blank; Passport doesn't use them in addition to the certificate.

User account provisioning via Passport

If you use Specify per identity provider group option in the Passport Library Item, use the Google group email in the Identity provider group field.
  1. In Google Admin, navigate to the group you want to use.
  2. Copy the group email.
  3. In the Kandji Passport Library Item, in the User Provisioning section, paste the value from the previous section into the Identity provider group field.
  4. Repeat the previous steps for each additional Google group email you want to use.
  5. In the Passport Library Item, click Save.

Library Item Configuration

Provide the certificate that you downloaded from Google Workspace.

  1. In the Settings section, in the Authentication configuration section, click Identity provider and select Google Workspace.
  2. In the Upload certificate from Google Workspace field, click the link to upload the certificate you downloaded from Google.
  3. In the Choose Files to Upload window, navigate to the folder that contains your compressed certificate file and select the compressed certificate file.
  4. Click Upload.
  5. If you see the Validating file message, wait a few moments for the validation to complete.
  6. Confirm that the compressed certificate file is displayed.