Documentation Index
Fetch the complete documentation index at: https://docs.iru.com/llms.txt
Use this file to discover all available pages before exploring further.
This guide applies to Mac computers
About Passport with Google Workspace
Passport with Google Workspace enables users to log into Mac computers using their Google Workspace credentials. This integration provides seamless authentication using your organization’s Google identity system.How It Works
Passport integrates with your Google Workspace instance using Secure LDAP to authenticate users at the macOS login screen. When users enter their Google Workspace credentials, Passport verifies them against your Google directory and creates or updates the local Mac user account.- Google Workspace
- Iru Endpoint
Prerequisites
- Your organization’s Google Workspace instance needs to support Secure Lightweight Directory Access Protocol (LDAP). Google has a list of supported licenses for the LDAP service here.
- Every Google Workspace user who will sign in with Passport must have a Cloud Identity Premium license assigned in Google Workspace.
- You need access to your organization’s super administrator account.
- If your web browser automatically uncompresses .zip files, temporarily change that setting and download the file again, or compress the uncompressed folder before you upload it to your Passport Library Item.
Create a Secure LDAP Client and Download the Certificate
Passport uses Secure LDAP to communicate with Google to confirm login credentials and gather basic user and group information. When you create a new Secure LDAP client in Google Workspace, you’ll download a certificate to secure communications and turn the service on.Sign in to Google Admin console
In a web browser, use your organization’s super administrator account to sign in to your organization’s Google Admin console at admin.google.com.
Access LDAP
In the Apps section, click LDAP.
If LDAP does not appear, your edition may not include Secure LDAP. Business Starter and Business Standard do not offer the Secure LDAP service.
Add LDAP client when others already exist
If your organization already has one or more Secure LDAP clients, they appear in the list on the LDAP page you opened in the previous step. In the upper-right corner, select ADD CLIENT to create another client for Passport.
Add LDAP client when none exist yet
If your organization does not have any Secure LDAP clients yet, the LDAP apps page shows ADD LDAP CLIENT. Select ADD LDAP CLIENT to start creating the client for Passport.
Enter description
In the Description field, enter a description like Passport: keep Mac login passwords in sync with Google Workspace.
Configure user credentials verification
In the Verify user credentials section, select either Entire domain (your domain appears in parentheses), or if you want to limit Passport to certain accounts, select Selected organizational units, groups and excluded groups.
Configure user information reading
In the Read user information section, configure the same settings as you did in Verify user credentials (for example Entire domain or Selected organizational units when those options appear).
Enable System Attributes
Confirm that the checkbox for System Attributes is selected so that Passport can read the default user attributes.
Leave custom attributes deselected
Leave Public Custom Attributes and Private Custom Attributes deselected; Passport will not use custom user attributes.
Configure group information reading
In the Read group information section, set the switch to On so you can configure Passport to use a user’s Google Workspace group information to dynamically convert their local Mac account between standard and administrator privileges when they log in. You can turn this option on later if you don’t turn it on now.
Access service settings
In the Service status section, select OFF or the disclosure control (chevron) to open the flow where you can turn the LDAP service on.
Re-download Your Secure LDAP Certificate (optional)
After you configure the LDAP client in the previous section, you can always download the certificate that’s used to secure the LDAP communication between Passport and Google. There are many other options, including renaming a certificate, generating additional certificates, and deleting a certificate.Sign in to Google Admin console
In a web browser, use your organization’s super administrator account to sign in to your organization’s Google Admin console at admin.google.com.
Select LDAP client
In the list of LDAP clients, select the LDAP client you created for use with Passport.
Collect group email prefixes for user provisioning
If you want Passport to set each user’s Mac account type from Google group membership, collect the Group email prefix for each group you plan to map. You will use those values under User provisioning on the Passport Library Item Iru Endpoint tab.Open a group in Google Admin
In Google Admin, open a group you want to use for Passport user provisioning.
Copy the group email prefix
From Group email, copy everything before the @ symbol. Passport expects that prefix in the Library Item, not the group’s display name.
Paste the prefix into a document
Paste the prefix into a secure text document or internal runbook. If you use several groups, note which prefix belongs to which group.
When the Secure LDAP client and certificate are ready, open the Iru Endpoint tab to upload the certificate and complete the Library Item steps there.
After initial setup
Certificate expiration and renewal
Google Workspace Secure LDAP certificates expire. Generate, download, and upload a replacement before the current certificate expires so Passport can keep authenticating users without interruption.Open your Passport LDAP client in Google Admin
Sign in to the Google Admin console, open Apps → LDAP, then select the LDAP client you use for Passport.
Note expiration dates for renewal planning
Note the Expiration date in the certificate table (and Earliest Certificate Expires in on the Apps → LDAP client list if you use that column) so you can plan renewal ahead of time.
Generate a new certificate
In Certificates, select GENERATE NEW CERTIFICATE. Do not wait until the current certificate has already expired if you can avoid it.
Download the new certificate
Download the new certificate bundle using the same download icon as in Re-download Your Secure LDAP certificate (tooltip Download certificate).
Replace the certificate in the Passport Library Item
In Iru Endpoint, open the Iru Endpoint tab and use Certificate expiration and renewal to remove the old compressed certificate, upload the new bundle, and save.
Remove the previous certificate in Google Admin
Return to the Authentication section for your Passport LDAP client in Google Admin. For the previous certificate row, open the row More menu (vertical ellipsis) and select DELETE CERTIFICATE.
For the next steps in this workflow, open the Iru Endpoint tab and follow Certificate expiration and renewal.
Troubleshooting
Correct email and password but sign-in still fails
Correct email and password but sign-in still fails
If a user enters the correct Google Workspace email address and password but still cannot sign in with Passport, verify that they meet the Cloud Identity Premium license requirement for Passport.In Google Admin, open Users, select the user, then open Licenses. Confirm that Cloud Identity Premium is assigned to that user and enabled. If it is missing, assign the license, then have the user try again.
Secure LDAP certificate expired
Secure LDAP certificate expired
Passport cannot authenticate users if the Secure LDAP certificate in Google Workspace has expired or is rejected. On the Google Workspace tab, Certificate expiration and renewal walks through generating and downloading a new certificate in Google Admin and removing the old certificate there. On the Iru Endpoint tab, Certificate expiration and renewal covers updating the Passport Library Item. Plan renewal before the expiration date so users do not lose sign-in access.