Passport Configuration with Google Workspace

By Shannon Poole

Learn how to create a Secure LDAP configuration in Google Workspace to be used when configuring Kandji Passport

Before you Begin

  • Your organization's Google Workspace instance needs to support Secure Lightweight Directory Access Protocol (LDAP). Business Starter, Business Standard, and Nonprofit licenses do not support Secure LDAP.
  • You need access to your organization's super administrator account.
  • If your web browser automatically uncompresses .zip files, temporarily change that setting and download the file again, or compress the  uncompressed folder before you upload it to your Passport library item.

Create a Secure LDAP Client and Download the Certificate

Passport uses Secure LDAP to communicate with Google to confirm login credentials and to gather basic user and group information. As part of creating a new Secure LDAP client in Google Workspace, you'll download a certificate to secure communications and turn the service on.

  1. In a web browser, use your organization's super administrator account to sign in to your organization's Google Admin console at admin.google.com.
  2. In the left sidebar, click Apps.
  3. In the Apps section, click LDAP (if LDAP does not appear, it's possible that your organization has the Business Starter or Business Standard editions of Google Workspace, which does not offer Secure LDAP service).
  4. If you don't yet have any LDAP clients configured, then click Add LDAP Client.
    If you already have one or LDAP clients configured, then in the upper-right corner, click Add Client.
  5. In the LDAP client name field, enter a name like Kandji Passport.
  6. In the Description field, enter a description like Kandji Passport for keeping Mac passwords in sync with Google passwords.
  7. Click Continue.
  8. In the Verify user credentials section, select either Entire domain, or if you want to limit Passport to certain accounts, select Selected organization units, groups, and excluded groups.
  9. In the Read user information section, configure the same settings as you did in the previous step.
  10. Confirm that the checkbox for System Attributes is selected so that Passport can read the default user attributes.
  11. Leave the two remaining checkboxes deselected; Passport will not use custom user attributes.
  12. In the Read group information section, turn the slider to On so you can configure Passport to dynamically use a user's Google Workspace group information to dynamically convert their local Mac account between standard and administrator privileges when they log in. You can turn this option on later if you don't turn it on now.
  13. Review your configuration, then click Add LDAP Client.
  14. Click the Download certificate link.
  15. Click Continue to Client Details.
  16. In the upper-right corner, click Off or the disclosure triangle to get to the screen where you can turn on the service.
  17. In the Service status field, select On for everyone.
  18. Click Save.

With the Google configuration complete, go to the Kandji web app to configure the Passport library item.

Re-download Your Secure LDAP Certificate (optional)

After you configure the LDAP client in the previous section, you can always download the certificate that's used to secure the LDAP communication between Passport and Google. There are many other options, including renaming a certificate, generating additional certificates, and deleting a certificate.

  1. In a web browser, use your organization's super administrator account to sign in to your organization's Google Admin console at admin.google.com.
  2. In the left sidebar, click Apps.
  3. In the Apps section, click LDAP.
  4. In the list of LDAP clients, select the LDAP client you created for use with Passport.
  5. Click anywhere in the Authentication section.
  6. In the Certificates section, click the Download button.
  • You can leave the Access credentials section blank; Passport doesn't use them in addition to the certificate.