Passport Configuration with Google Workspace

By Shannon Poole

Learn how to create a Secure Lightweight Directory Access Protocol (Secure LDAP) configuration in Google Workspace to be used when configuring Kandji Passport

When logging in at the Passport Login Window, the full email address should always be used in the username field to ensure the authentication session is connected to the IdP and not local authentication. To avoid confusion with using email addresses at the FileVault Login Window, ensure that the Managed user visibility box is unchecked on the Login Window Library Item. You can read more about this in our Passport Compatibility article.

Before you Begin

Your organization's Google Workspace instance needs to support Secure LDAP (specifically, Business Starter, Business Standard, and Nonprofit do not support Secure LDAP).
You need access to your organization's super administrator account.

Create a Secure LDAP Client and Download its Certificate

Passport uses Secure LDAP to communicate with Google to confirm login credentials and to gather basic user and group information. As part of creating a new Secure LDAP client in Google Workspace, you'll download a certificate to secure communications and turn the service on.


For more information, visit Google's support page, About the Secure LDAP Service.
  1. In a web browser, use your organization's super administrator account to sign in to your organization's Google Admin console at admin.google.com.
  2. In the left sidebar, click Apps.
  3. In the Apps section, click LDAP (if LDAP does not appear, it's possible that your organization has the Business Starter or Business Standard editions of Google Workspace, which does not offer Secure LDAP service).
  4. If you don't yet have any LDAP clients configured, then click Add LDAP Client.
    If you already have one or LDAP clients configured, then in the upper-right corner, click Add Client.
  5. In the LDAP client name field, enter a name like Kandji Passport.
  6. In the Description field, enter a description like Kandji Passport for keeping Mac passwords in sync with Google passwords.
  7. Click Continue.
  8. In the Verify user credentials section, select either Entire domain, or if you want to limit Passport to certain accounts, select Selected organization units, groups, and excluded groups.
  9. In the Read user information section, configure the same settings as you did in the previous step.
  10. Confirm that the checkbox for System Attributes is selected so that Passport can read the default user attributes.
  11. Leave the two remaining checkboxes deselected; Passport will not use custom user attributes.
  12. In the Read group information section, turn the slider to On so you can configure Passport to dynamically use a user's Google Workspace group information to dynamically convert their local Mac account between standard and administrator privileges when they log in. You can turn this option on later if you don't turn it on now.
  13. Review your configuration, then click Add LDAP Client.
  14. Click the Download certificate link.
  15. Click Continue to Client Details.
  16. In the upper-right corner, click Off or the disclosure triangle to get to the screen where you can turn on the service.
  17. In the Service status field, select On for everyone.
  18. Click Save.


If your web browser automatically uncompresses .zip files, temporarily change that setting and download the file again, or compress the automatically-uncompressed folder before you upload it to your Passport library item.
With the Google configuration complete, go to the Kandji web app to configure the Passport library item.

Re-download Your Secure LDAP Certificate (optional)

After you configure the LDAP client in the previous section, you can always download the certificate that's used to secure the LDAP communication between Passport and Google. There are many other options, including renaming a certificate, generating additional certificates, and deleting a certificate.

  1. In a web browser, use your organization's super administrator account to sign in to your organization's Google Admin console at admin.google.com.
  2. In the left sidebar, click Apps.
  3. In the Apps section, click LDAP.
  4. In the list of LDAP clients, select the LDAP client you created for use with Passport.
  5. Click anywhere in the Authentication section.
  6. In the Certificates section, click the Download link (looks like a down-arrow and an underscore).

You can leave the Access credentials section blank; Passport doesn't use them in addition to the certificate.