Using Groove.id as an LDAP server to support passwordless login

You can use Groove.id as an LDAP server. In this model, whenever a user tries to log in, they’ll receive a notification on their phone when they acknowledge it, the signin continue.

LDAP flow diagram

  • When a user tries to sign in to the VPN, they will enter their email address and anything for the password. (1)

  • The VPN concentrator (or other network device) passes the request to Groove.id via LDAP. (2)

  • Groove.id sends a signin request to the user’s mobile phone. (3)

  • The user approves the signin request. (4)

  • The request is passed back to the VPN concentrator (5 and 6).

  • The VPN concentrator allows the connection to proceed. (7)


In the Groove.id console, create an API key. Add the scopes sync and user to the key. This authorizes your device to retrieve information about users.

On the VPN concentrator (or other network device), create an LDAP server group.

  • Server Name or IP Address: signin.example.com (or whatever your Groove.id hostname)
  • Timeout: 60 seconds (allows time for the user to respond to a push)
  • Enable LDAP over SSL: checked
  • Port: 636
  • Server Type: Generic
  • Base DN: dc=example,dc=com
  • Scope: All levels beneath the Base DN
  • Naming Attribute(s): userPrincipalName
  • Login DN: cn=vpn,cn=services,dc=example,dc=com
  • Login Password: (use the api key from above)

You can add properties to the login DN to change the behavior of the signin request in the mobile app, for example:

  • Login DN: cn=vpn,headline=Sign to VPN,subhead=vpn.example.com,level=medium,dc=example,dc=com

The headline and subhead are displayed in the app. The level is low or medium (“high” is not recommended because the mobile app only achieves medium, high is reserved for provisioning.)

Note: If you use userPrincipalName or mail as the naming attribute, then people will use their email address as the username. If you’d prefer for them to only use their login name (e.g. alice rather than alice@example.com), then set uid as the naming attribute instead.

Last modified May 12, 2020: refactor docs (d7a7a5c1d)