📖 Overview #

SecureSchool supports Google LDAP authentication for schools using Google Workspace. This method allows
SecureSchool to authenticate users against Google directory credentials and group membership, enabling user-based filtering
without requiring an on-premises Active Directory domain.

Google LDAP is commonly used by districts that are:

• Fully cloud-based
• 1:1 Chromebook environments
• Not using Windows domain authentication (NTLM)

Once configured, SecureSchool validates users through Google Workspace and applies filtering policies based on their assigned groups.

🔎 When to Use Google LDAP #

Google LDAP authentication is recommended when:

• Your school uses Google Workspace for Education
• Users authenticate primarily with Google accounts
• You do not have (or do not want to rely on) Active Directory
• You want user-based filtering tied to Google groups
• Chromebooks or cloud-managed devices are your primary endpoints

⚠️ Note: Google LDAP is supported only on certain Google Workspace editions. See Google’s documentation for current eligibility.

⚙️ How Google LDAP Works in SecureSchool #

When Google LDAP is enabled:

• SecureSchool connects securely to Google’s LDAP service
• User authentication requests are validated against Google Workspace
• Group membership is retrieved from Google
• Filtering is applied based on SecureSchool filter sets mapped to users or groups

Authentication credentials are not stored locally on the SecureSchool appliance.

🧩 Prerequisites #

Before configuring Google LDAP in SecureSchool, ensure the following:

• Your Google Workspace edition supports LDAP
• LDAP service is enabled in Google Admin Console
• A Google LDAP client configuration has been created
• You have downloaded the LDAP certificate and key files from Google
• The files are provided in a ZIP archive (as generated by Google)

📘 Google setup instructions:
Google Workspace LDAP setup (official guide)

➕ Configuring Google LDAP in SecureSchool #

Step 1: Select Google LDAP as the Authentication Method #

1. Log in to the SecureSchool admin interface.
2. Navigate to Setup → Auth Method.
3. Under Authentication Methods, select Google LDAP.
4. Click Save Changes.

This sets Google LDAP as the active authentication method for SecureSchool.

Step 2: Upload Google LDAP Certificate Files #

1. Still under Auth Method, click the GSuite Auth tab.
2. Locate the Manage Google LDAP Files section.
3. Click Browse and select the ZIP file downloaded from Google.
4. Click Upload Zip File.
5. Confirm the certificate status updates successfully.

The SecureSchool appliance installs the certificate and key automatically.

Step 3: Verify Certificate Status #

After uploading:

• Confirm the Start Date and End Date are visible
• Ensure the certificate is valid and not expired
• If the certificate expires, Google LDAP authentication will stop working until a new file is uploaded

💡 Best practice: Set a reminder to renew LDAP certificates before expiration.

🧑‍💻 Authentication Features (Optional) #

SecureSchool includes optional authentication features that may be used alongside Google LDAP. These options are configured under
the Features tab within Auth Method.

Portal Feature #

• Prompts users to authenticate via a login portal
• Session duration is controlled by a TTL (Time To Live) setting
• TTL can be fixed or variable, depending on configuration

Transparent Portal Feature #

• Automatically authenticates users without prompting
• Commonly used in Chromebook or domain-based environments
• Authentication type may reference Google Workspace domain
• TTL is fixed and applies to all users equally

🧾 Verifying Google LDAP Authentication #

After configuration:

• Test user authentication using a known Google Workspace account
• Confirm SecureSchool correctly identifies the user
• Verify filtering policies are applied as expected
• Check logs if authentication does not behave as anticipated

🧾 Troubleshooting Tips #

• ❌ Authentication fails → Verify LDAP is enabled in Google Admin
• 🔐 Certificate issues → Re-download and re-upload the ZIP file
• ⏰ Sudden failures → Check certificate expiration dates
• 👥 Group mismatch → Confirm group membership in Google Workspace
• 🔄 Changes not applied → Restart browser session and re-authenticate

💡 Best Practices #

• Use Google groups that clearly align with filtering needs
• Limit LDAP access to only required organizational units
• Keep certificate files secure and documented
• Review authentication behavior after major Google Workspace changes
• Document renewal dates for LDAP certificates

📌 Notes on Privacy #

• No user passwords are stored on the SecureSchool appliance
• Authentication occurs securely between SecureSchool and Google
• User information is used solely for access control and filtering