I have done couple of Okta and Google Workspace implementation where due to rebranding those enterprises wanted to go with a new/rebranded company domain for Google Workspace.
Though it is not limited just to rebranding cases, think of acquisition cases where you acquire a company who is already using Google Workspace, but not Okta, you may merge them with you AD, but they would have different Google Workspace domain than of your Active Directory.
I have also seen some cases where enterprises intentionally go for a test domain when doing Google Workspace or Google Cloud Platform proof of concept.
- Google Workspace only accepts user’s primary email address as identifier to authenticate users via Identity providers like Okta.
- However, in rebranding, POC or other similar cases, your users LDAP / Okta email would be different than Google Workspace, which means Okta will send user@oldDomain.com in the SAML but Google would need user@newDomain.com.
- Hence the SAML SSO will not work.
- We can leverage Okta’s attribute transformation feature which provide flexibility to transform attribute before sending it to the target application (e.g Google Workspace).
- We can create a rule in Okta saying “when our users try to access Google Workspace, take the user name part (e.g before @ in their email), and then append the domain that we have in Google to it.
- I would recommend you to watch my video above to see its done, but let me also add some screenshots below if you prefer them.
- Go to Okta Admin Consoe and then to your Google Workspace application.
- Click on “Sign On” tab
- Click on “Edit” and scroll down to “Application Username Format”
- You would a few options here, you should first see if any of the provided options fit your needs.
- If they do not, then select “Custom” which allows us to use Okta’s expression to create custom username.
- Ensure you have clicked on “Custom” from the application username format dropdown.
- Here you should put the expression (based on Okta’s expression language) which would result the required email address for your Google user.Example -: in below scenario, my users email in Okta is firstname.lastname@example.org, however my Google Workspace domain is @newDomain.com, so i want Okta to send the transformed email address in SAML (nameID)
So, I will use the following Okta expression
(String.substringBefore(user.email, “@”) +”@newDomain.com”)
where Okta does the following-:
(i) It first parses the username string which is before @
(ii) Then it appends @newDomain.com to it.
- Now before you save your change, it is critical to ensure that your expression is correct and giving you the expected email address.
For that, you can put any of your Okta user email in preview box (look at #3 in below screenshot)
- You should then check the result that preview gives you (look at #4 in screenshot below), this result should match this user’s Google username/email.You can then save the changes, now onwards, Okta would send the transformed email address (e.g email@example.com in our example) to Google.