Google Cloud Directory Sync and Okta both have their pros and cons which should be considered before making your decision to use them for managing your Google users and groups lifecycle.

You should ideally contact your Google or Google partner and Okta for recent developments in their products, however following table would help you as a starting point to understand some differences between these two utilities and recommendations for usage.

Scenario:

Multiple Data Sources (e.g Multiple AD Forests) or Mergers & Acquisitions use cases

Use Okta If-:‍

1. You already have all your identities provisioned in Okta (ideally they should be there, thats why you use IdPs).2. You have multiple data sources (multiple AD Forests & HRMS systems) to bring your identities in Google

‍Use GCDS if-

:1. You have a single AD Forest to bring your identities to Google, though there are workarounds like spinning up multiple GCDS instances and leveraging exclusion rules, but it would not be easily manageable.2. Your identities (that you want to provision in Google) are not in Okta.

‍

Attribute Level Mastery

‍If your provisioning requires attribute level mastery

For example-:
(i) Job title would come from workday.
(ii) Email will come from Active Directory.
(iii) Phone number will come from Ring Central.

Then use should Okta as GCDS does not provide attribute level mastery.

If all your attributes would be mastered from Active Directory (or LDAP), then you may use Google Cloud Directory Sync too based on other criteria in this table.

‍

‍Write back to Active Directory

‍GCDS does not write back to Active Directory, so you should use Okta for it, however GCDS and Okta can also be used in combination where you leverage GCDS for user lifecycle management, and Okta for write back to AD.

‍

‍Org Unit Sync

‍Use GCDS as it synchronizes OrgUnits well to Google, though you may be able to do it with Okta too, however it gets pretty messy as you would need to create lots of groups and assign priorities to it.

‍

‍Shared Contacts Sync‍

Use Google Cloud Directory Sync as Okta does not sync Shared Contacts. (Shared Contacts = your external contacts like vendors, contractors etc)

Otherwise, because of other reaons you want to use Okta for provisioning, then you may use Shared Contacts API to separately manage shared contacts.

‍

‍Resource Calendar Sync

‍Use Google Cloud Directory Sync as Okta does not sync Resource Calendars. (Resource Calendars = Conference Rooms etc)

If because of other reasons you want to use Okta for provisioning, then you may use Calendar API to provision initial resources and then manage them in Google.

‍

‍Attribute Transformation

‍Use Okta if you have complex use cases which needs lot of attribute transformation (e.g if you want to send transformed attributes from AD to Google).

Though GCDS also let you transform attribute but only the domain name (e.g user@ad.local TO user@googledomain.com)External members in Google GroupsIf you would have external members (e.g @yahoo.com) in your Google Workspace groups, then use GCDS as Okta doesn't manage/sync external members.

‍

‍HRMS as a Master

‍If you want to use your HRMS system (e.g Workday) as a master, then use Okta, as Google Cloud Directory Sync does not sync with HR Systems (only LDAP and AD)