Integrate with Google Workspace through LDAP

In this topic, you will learn how to integrate Portnox™ Cloud with Google Workspace using the Google Workspace secure LDAP function and Portnox AD Broker.

Important: In January 2025, Google removed the Less Secure Apps option for all Google Workspace accounts, which means you cannot use credential-based authentication with Google Workspace. This integration is more complex than standard Google Workspace integration, but it allows you to use credential-based authentication with Google Workspace.
Important: Google secure LDAP is only available in higher Google Workspace plans, such as Business Plus. Before starting this configuration, check your Google Workspace plan and upgrade it if necessary to included the secure LDAP functionality.

Configure Portnox Cloud directory integration

In this section, you will configure Portnox Cloud for LDAP directory integration with Google’s secure LDAP.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Authentication Repositories > DIRECTORY INTEGRATION SERVICE > Directory Domains option.

  3. Under the DIRECTORY INTEGRATION SERVICE section, click on the Add new domain link.
  4. In the User repository type field, select the OpenLDAP option.

  5. In the Display name field, type a display name for your configuration.

    In this example, we used the name Google Workspace, but you can use any name you like.

  6. In the Base DN field, type the Distinguished Name (DN) of the starting point for directory server searches. For Google’s secure LDAP, this is always dc=gsuite,dc=google,dc=com.

  7. In the Domain names section, click on the Add new domain name link.
  8. In the Domain name field, type the domain name controlled by your Google Workspace tenant.

  9. In the Domain controllers (DC) field, click on the Add new Domain Controller link.
  10. In the Host and Port fields, enter the ldap.google.com and 636 respectively, and then click on the Save button.

  11. Activate the Use SSL checkbox.

  12. Click on the Save button below to save your configuration.

Configure Google Workspace

In this section, you will add a LDAP client to Google Workspace.

  1. In your Google Workspace administrative interface, in the left-hand side menu, click on the Apps > Overview option.

  2. In the right-hand side pane, click on the LDAP tile.

  3. In the right-hand side pane, click on the ADD LDAP CLIENT link.

  4. In the Client details pane, enter the LDAP client name and optionally a Description. Then, click on the Continue button.

    In this example, we used the name Portnox Cloud, but you can use any name you like.

  5. In the Access permissions pane, set the access permissions, and then click on the ADD LDAP CLIENT button.
    Note: Configure the access permissions depending on your Google Workspace structure and organization security requirements. In this example, we allowed the client all permissions, but you may limit them as you see fit. However, it is secure for Portnox Cloud to have access to all the information, just as it would in the case of direct integration with Google Workspace.

  6. In the Next, connect your client to the LDAP service pane, click on the Download certificate link, and then click on the CONTINUE TO CLIENT DETAILS button.
    Note: You will need this certificate later to establish a connection to Google’s secure LDAP.

  7. In the Apps > LDAP > Settings pane, click on the OFF button in the top-right corner.

  8. In the Showing settings for users section, select the ON option, and then click on the SAVE button.
    Note: Your section may show information for a specific organizational unit, if you configured your client for that unit only in the Access permissions pane.

  9. In the Apps > LDAP > Settings pane, click on the  ⱽ  icon in the top-right corner of the Authentication section.

  10. In the Authentication section, click on the GENERATE NEW CREDENTIALS link.

  11. In the Access credentials window, copy the generated credentials and store them in a temporary text file. You will need them to configure AD Broker later.

Install and configure stunnel

In this section, you will install and configure the free stunnel application that must be used as a proxy to connect to Google’s secure LDAP.

Note: Google’s secure LDAP requires all clients to connect using a certificate. AD Broker does not support LDAP connections with a certificate, so you need to create a secure tunnel to Google’s secure LDAP. You must have a virtual or physical Windows machine to host the stunnel application. It should be the same machine that you will use to host AD Broker.
  1. Download the free stunnel application for Windows from its official download page. Then, install the application.
  2. Unzip the certificate package that you downloaded from Google Workspace earlier. Copy the files from this package to the C:\Program Files (x86)\stunnel\config directory.

    Modify the directory if you installed stunnel in a different directory than the default one.

  3. Open the stunnel user interface from the Windows system tray (notification area), and in the top menu, select the Configuration > Edit Configuration option.

    A Notepad window opens with the configuration.

  4. Add the following at the end of the configuration file in the Notepad window, and then save the file: 
    [ldap]
client = yes
accept = 127.0.0.1:1636
connect = ldap.google.com:636
cert = Google_your-certificate-identifier.crt
key = Google_your-certificate-identifier.key

    For example:

    [ldap]
client = yes
accept = 127.0.0.1:1636
connect = ldap.google.com:636
cert = Google_2028_03_06_37656.crt
key = Google_2028_03_06_37656.key
  5. Close Notepad, and in the top menu of the stunnel user interface, select the Configuration > Reload Configuration option.

Install and configure AD Broker

In this section, you will install and configure the Portnox Active Directory Broker (AD Broker).

Note: You must have a virtual or physical Windows machine to host the AD Broker software. It should be the same machine used to host the stunnel application. AD Broker was developed for Portnox Cloud to be able to communicate with on-premises LDAP servers. While the Google Workspace LDAP server is not an on-premises solution, Portnox Cloud, as of this moment, cannot communicate directly with a public LDAP server.
  1. In the Cloud portal top menu, click on the Settings option.

  2. Create credentials to access Portnox Cloud from external services.
    Note: Skip this step, if you already created the credentials for another purpose earlier.
    1. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Create credentials to access the CLEAR cloud service from external services option.

    2. Click on the Generate Credentials link.

    3. Check your email. You will receive the credentials by email.

      Note: Preferably, check the email on the device where you will be installing the broker or copy the information from the email to a file on that device.
  3. Download, install, and configure the Portnox Active Directory Broker software.
    Note: The Portnox Active Directory Broker is available for Windows only.
    1. Switch to the device or virtual machine where you will install the broker.
    2. Log in to Portnox Cloud and go to the Settings > Authentication Repositories > DIRECTORY INTEGRATION SERVICE screen.
    3. In the DIRECTORY INTEGRATION SERVICE section, scroll down to the DOWNLOAD PORTNOX CLEAR DIRECTORY BROKER section, and click on the Download link.

    4. Run the broker installation file PortnoxADBroker.exe and click on the Next button.

    5. Paste the credentials from the email received earlier into the fields in the broker installation window and click on the Next button.

    6. Optional: If you have more than one domain configured in Portnox Cloud, in the Provide Active Directory domain step, select the domain for this AD broker.
      Note: AD Broker can only service a single directory domain at a time. If you have more than one directory domain, you need a separate AD Broker for each domain.
    7. In the Provide Directory Controller Credentials step, input the credentials for a domain controller user account and click on the Next button.
      Note: These are credentials for a user account that exists in your domain controller, not in Portnox Cloud. For security, we recommend that you create a separate user in your domain controller, who only has read access and is only used by the broker.

    8. Optional: Click on the Test button to test your configuration.

      Warning: The testing process may create an extra entry in your list of AD brokers in Portnox Cloud. If so, you can simply delete the extra entry. You can recognize the entry because it has no IP address listed, its state is Not updated, and its version number is 1.1.1.

    9. After the installation completes, click on the Finish button.