And going forward with Okta setup for our project.
- Okta: SSO authentication for Gmail and Slack
- Jenkins: SAML Authentication with Okta SSO and users groups
- Jenkins: SAML, Okta, users groups, and Role-Based Security plugin
- Github: SAML, Okta, and Github Enterprise Cloud – Organization SSO configuration
The next task is to integrate our Google Suite with Okta: need to configure an ability to import users to Okta from G Suite, and vise Versa.
In real we will use Okta as a source-of-truth for users database and an authentication system and Okta will manage user accounts in G Suite but in this post let’s test both abilities.
Okta – a G Suite App configuration
Go to Okta > Applications, click Add Application, find the G Suite application:
In the G Suite admin page go to Domains, find an organization’s Primary Domain:
Set it to the settings (this domain doesn’t play any role for provisioning, but used if you’ll use SAML SSO later):
Set Application username format as Email, everything other here can be left with the default values – Sign-On will be configured on the next time:
Save, switch to the Provisioning tab:
G Suite Provisioning configuration
G Suite has to have API enabled, check the documentation>>>.
In Okta – click on the Configure API Integration:
Click Authenticate with G Suite, log in to a necessary account:
Users import from G Suite to Okta
In Okta go to Provisioning > To Okta:
In the User Creation & Matching, you configure how Okta will compare users from the G Suite account and Okta’s local database (Okta Universal Directory).
In this current case, a user’s email will be used as both G Suite and Okta will use the same value for it.
Time to run the import – switch to the Import tab:
Click Import Now:
Wait 5-10 minutes, depending on your G Suite account size:
And all users from our G Suite now ready to be created in the Okta’s account:
Once you’ll Assign any of them – an account will be created in the Okta Universal Directory.
For example, here is an Arseny user – it’s already present in both Okta account and G Suite, so Okta will skip it:
But the second Arseny will be created as this is another person with a different email a match didn’t apply.
Select a user from G Suite to be created in our Okta:
Here you can choose an action:
- create a brand new account in Okta (default action)
- attach it to an already existing Okta’s user
- just ignore
Click on the Confirm Assignments:
And a new user is now created in Okta:
Users export from Okta to G-Suite
Now let’s try to set up back-ward provisioning – an Okta’s user has to be created in the G Suite if now found there.
Go to Provisioning > To App, click Edit, enable necessary options:
For the testing purposes, you can enable only the Create Users, to avoid accidentally dropping already existing users in G Suite if any.
Click the Save.
Create a new user in the Okta’s database – go to the Directory > People > Add Person:
Note: an email domain must be already configured in the G Suite account
Go back to the G Suite application, switch to the Assignments tab and assign this new user:
Set values in hist profile for G Suite, at least need to configure Organizational Unit (if OU’s are used of course):
Check Okta’s logs:
And the G Suite account:
The last thing is to configure notifications when a new user will be created in Okta if Okta made an import from G Suite.
Go to the Settings > Account, and in the Admin Email Notifications block configure emails to be sent:
Also published on Medium.