Okta: G-Suite integration – provisioning and users import and export

By | 10/25/2019

And going forward with Okta setup for our project.

Previous posts:

The next task is to integrate our Google Suite with Okta: need to configure an ability to import users to Okta from G Suite, and vise Versa.

In real we will use Okta as a source-of-truth for users database and an authentication system and Okta will manage user accounts in G Suite but in this post let’s test both abilities.

Documentation:

Okta – a G Suite App configuration

Go to Okta > Applications, click Add Application, find the G Suite application:

In the G Suite admin page go to Domains, find an organization’s Primary Domain:

Set it to the settings (this domain doesn’t play any role for provisioning, but used if you’ll use SAML SSO later):

Set Application username format as Email, everything other here can be left with the default values – Sign-On will be configured on the next time:

Save, switch to the Provisioning tab:

G Suite Provisioning configuration

G Suite has to have API enabled, check the documentation>>>.

In Okta – click on the Configure API Integration:

Click Authenticate with G Suite, log in to a necessary account:

Allow access:

Ready:

Click Save.

Users import from G Suite to Okta

In Okta go to Provisioning > To Okta:

In the User Creation & Matching, you configure how Okta will compare users from the G Suite account and Okta’s local database (Okta Universal Directory).

In this current case, a user’s email will be used as both G Suite and Okta will use the same value for it.

Time to run the import – switch to the Import tab:

Click Import Now:

Wait 5-10 minutes, depending on your G Suite account size:

And all users from our G Suite now ready to be created in the Okta’s account:

Once you’ll Assign any of them – an account will be created in the Okta Universal Directory.

For example, here is an Arseny user – it’s already present in both Okta account and G Suite, so Okta will skip it:

But the second Arseny will be created as this is another person with a different email a match didn’t apply.

Select a user from G Suite to be created in our Okta:

Here you can choose an action:

  1. create a brand new account in Okta (default action)
  2. attach it to an already existing Okta’s user
  3. just ignore

Click on the Confirm Assignments:

And a new user is now created in Okta:

Users export from Okta to G-Suite

Now let’s try to set up back-ward provisioning – an Okta’s user has to be created in the G Suite if now found there.

Go to Provisioning > To App, click Edit, enable necessary options:

For the testing purposes, you can enable only the Create Users, to avoid accidentally dropping already existing users in G Suite if any.

Click the Save.

Create a new user in the Okta’s database – go to the Directory > People > Add Person:

Note: an email domain must be already configured in the G Suite account

Go back to the G Suite application, switch to the Assignments tab and assign this new user:

Set values in hist profile for G Suite, at least need to configure Organizational Unit (if OU’s are used of course):

Check Okta’s logs:

And the G Suite account:

Notifications

The last thing is to configure notifications when a new user will be created in Okta if Okta made an import from G Suite.

Go to the Settings > Account, and in the Admin Email Notifications block configure emails to be sent:

Done.