We already have some users in Google, would they be deleted?

I have seen some cases where organizations start using Google Workspace (or Google Cloud Platform) before rolling out Okta.

Concerns-:

• In this case, concern usually is lack of clarity about whether these Google users would be deleted or not once we start using Okta for provisioning (and SSO).

Solution-:

First of all, though we would need to do some work in this case, but rest assured, we can handle this situation without impacting users.

• Okta provides an “Import Users” feature, which means we can import users from Google to Okta, and once these users are in Okta, we can assign them Okta user profile.

There would be two scenarios in such case, and let us handle them one by one.

Scenario One -: Google users also exist in Okta

• We can use Okta’s “Import Users” feature to bring these Google users to Okta, and once they are in Okta, we can create their Okta profile.
  
• Result = These users would now have new Okta profile, so they can login to Okta, and Google Workspace would appear on their dashboard to access at one click (via SAML).

Scenario Two -: Google users do not exist in Okta

• We can use Okta’s “Import Users” feature to bring these Google users to Okta, and because these users already have their Okta profile, we can map these users to their respective Okta account.
  
• Result = These users would now see Google Workspace apps in their Okta dashboard to access with one click.

1. Go to your Google Workspace application in Okta
2. Click on “Import” tab
3. Click on the “Import Now” button as shown in the screenshot below.

1. Okta should now start process of importing your Google users to Okta, it may take sometime depending on number of users in Google.

Note -: Please ensure you have already completed API integration setup as shown in provisioning section above, otherwise Okta would fail to import users because Okta would be calling Google’s Directory API to get these users.

• Okta should now show you the summary of how many users/groups scanned and imported to Okta

1. Now on this screen, Okta would show you whether the imported Google user has an Okta profile or not (based on user’s email address).
   
2. If the Okta user does not exist, Otka would ask you to confirm new Okta account creation for this user.
   
3. You should review and select the checkbox (look at #3 in screenshot below) to select all (or required users).
   
4. Click on “Confirm Assignments” to confirm new Okta user account creation.

Note -: In case Okta user already exists with the same email address as of Google user, then instead of creating a new Okta account, it would ask you to confirm the mapping for existing account.

• Here you would do the final confirmation and tell Okta whether or not auto-activate users after confirmation.

That is it, now your Google users are in Okta, and can login to Google Workspace via Okta SSO.

Okta would also not try to recreate them in Google, because it now knows that these Okta users are already in Google.

Important

Though everything should be working now for this specific use case, however if you look at assignment tab in Google Workspace app in Okta, you would find these users are individually assigned to Google Workspace application.

Though it is optional, but I would recommend you to convert their assignment from individual user to group based, so you can easily manage them via your AD or Okta groups.

You should follow these steps if you want to do that (or watch my video above)-:
(i) Disable the "Deactivate Users" (go to Okta --> Google Workspace App --> Provisioning Tab --> Edit)
(ii) Delete these users individual assignment (go to Okta --> Google Workspace App --> Assignment tab --> click on X mark)
(iii) Make sure these users are in your Group which you would be using for Google assignment.
(iv) Check the assignment, and these users should have Google app assignment based on your group assignment.
(v) Enable "Deactiave Users"