User Provisioning to Google via OKta


To get started, let us first understand what would we need to setup provisioning-:

  1. Google Workspace or Google Cloud Identity Super Administrator Email and Password.
  2. Okta Super Administrator User Id and Password

  3. Atleast one test user account in Okta (either created directly in Okta or brought over by Active Directory)

  4. You should have already taken care of Google Conflicting Accounts.

I would also recommend to have clarity on which users (and groups) you want to provision from Okta to Google before you start.

Though it really depends on your use case, but I have seen some use cases while doing Okta and Google Workspace implementations where enterprises provision based on following-:

  • AD Group based provisioning -: Some organizations create a group in their Active Directory called google_users and then use this as provisioning basis (e.g whoever is member of this group, provision them to Google).

  • AD OrgUnit based provisioning -: Though not usual but some organizations go with OrgUnit based approach where any user of a given AD orgUnit gets provisioned to Google (via Okta).

  • Attribute based approach -: Some organization in some complex or custom use cases also go with user attribute based provisioning (e.g if the user.department = “IT”, then provision them to Google.

Ideally unless you are very clear on your use case and provisioning approach, you should go with Group based provisioning as it provides more flexibility and do less strain on your AD.

I will show you group based provisioning as it is very commonly leveraged, however i’ll put details below on how to do orgUnit and user attribute based provisioning just in case if you need that.

Also, provisioning process is same regardless of whether you are using Google Workspace or Google Cloud Platform or Google Drive Enterprise.

Provisioning Steps

Login to your Okta tenant

  • Go to your Okta tenant (e.g
  • Enter your User Id and Password (and second factor if it is setup)
Login to Okta

Click on the Admin button on the to right to go to Okta Admin console (as shown in the screenshot below).

Go to Okta Admin
  • Go to Applications (as we will be adding Google Workspace application).
Go to Applications in Okta
  • Click on Add Application
Click on Add Application in Okta
  • Search for “Google Workspace” and click on it from the integrations as shown in the screenshot below.

Add Google Workspace Application for provisioning

  • Along with Google Workspace, products like Google Cloud Platform and Google Drive Enterprise also leverages Google Directory.

  • So even if you use Google Cloud Platform (without Google Workspace), you would still need to add Google Workspace app in Okta for provisioning to Google Directory.

  • Think of it like this, though the app here says Google Workspace, but you would be provisioning to Google Directory via it, which can then be used by products like Google Workspace, Google Cloud Platform or Google Drive for Enterprise.
Search and Select Google Workspace App in Okta
  • As you see in the screenshot below, this application supports user lifecycle management to Google Directory.

  • Click on Add button to add the Google Workspace application.
Click to Add Google Workspace app in Okta
  1. Add your Application label (e.g Google Workspace), this can be changed later.

  2. Add your Google Workspace (or Google Cloud Identity) domain, this can NOT be changed later, please make sure to put it right.

  3. Okta provides users a single dashboard where users see the icons of the applications which are assigned to us, if you would provide Okta SSO access to access to Google Workspace, then check the apps you want to show on users dashboard.

    If you would only be using Google Cloud Platform (and not Google Workspace), then you would not want to show these icons (e.g Gmail, Drive etc) on your users Okta dashboard, hence these can be unchecked here.
Enter your Google Workspace domain in Okta
  • If you use Google Workspace, Okta provides you functionality to add licenses to your Google Workspace users. You may enter your Google Workspace license count here to leverage Okta seats related reporting.

  • You can decide whether to show Google Workspace application icons to users on their Okta dashbaord and in Okta’s mobile app.

  • You would rather be using SAML, do not worry about “Browser plugin auto-submit” and leave it unchecked.
Enter Google Workspace apps visibility in Okta
  1. Click on SAML
  2. Click on Save

Note -: We are not turning on SAML or SSO yet, Okta only shows the user provisioning features once you enable SAML, hence we will just click on SAML and Save to move forward.

Select SAML and and click done in okta
  1. Now you would see additional options in your Google Workspace app (make sure you are in the Google Workspace app that you started configuring)
  2. Click on “Provisioning” tab
  3. Click on “Configure API Integration”

FYI –: As Okta leverages Google’s Directory API to manage Google user lifecycle (e.g creating, deleting, updating Google users).

Go to Provisioning tab in Okta Google Workspace app
  1. Click on Enable API Integration
  2. Then click on “Authentication with Google Workspace”

FYI –: We are now starting the process to authorize Okta (via OAuth) to programmatically (via Google’s Directory API) interact with our Google tenant for users, groups and members management.

Enable Google API Integration in Okta
  • Login to your Google Workspace Admin account (which should have either Super Admin OR delegated administration based on your requirements (e.g if you need Okta to manage only users, then delegated admin account here should have user management permissions)

  • If you are already logged in, please click on the account that you want to use to authorize Okta.
Give Okta permission to Google
  • Google is now providing you information about what Okta would be authorize to manage once you click allow.

  • You can also click on exclamation icons to learn more about each OAuth scope here.

  • Once/if satisfy, click Allow as shown in the screenshot below.
Provide Okta access to create users in Google Workspace
  • You should now see the successful message that your API integration has been enabled successfully.
Confirm success message in Okta
  • Click on Save.
Save you changes in Google app in Okta
  1. Please make sure that you are in the same Google Workspace application that you are configuring

  2. Click on Provisioning

  3. Important –: Please make sure the flow of provisioning is from Okta to Google Workspace, and then click on “Edit” as shown in the screenshot below.
Select the Google app for provisioning
Edit Google provisioning in Okta
  1. Enable “Create Users” if you want Okta to create users in Google Directory.

  2. Enable “Update User Attributes” if you want your users attributes to be synchronized from Okta to Google.

  3. Enable “Deactivate Users” if you want your suspended or deleted Okta users can be suspended or deleted in Google.

  4. Enable “Sync Password” if you want Okta to push your Okta user password (or AD password if you have AD delegated authentication setup).

  5. Once done, click on Save to save your changes.
Enable Google user management in Okta
  • If you scroll below, you would see user attribute mapping, where Okta should have already mapped primary attributes (e.g Name, email etc).

  • However, Okta provides you flexibility to map any attributes as per your requirement including the custom attributes that you have created in your Okta (e.g a custom attribute called “T-Shirt Size” to sync with Google Directory.
map google and okta attributes

Testing our configuration

  • We are now done with setting up user provisioning from Okta to Google Directory, its time to test our configuration.

  • You would create a test user in your Okta tenant (or use existing if you already have one) and assign him/her Google Workspace application.

Note -: For now we first need to test our configuration with a test user, however later in this post we will set up group based provisioning for dynamic and scalable provisioning.

Add Google Workspace ass to test user
  • If you have configured integration with multiple Google Workspace tenants, please make sure to assign our test user the correct Google Workspace tenant.
Assign Google Workspace app to test user
  • Choose the Google Organization Unit where you want to create this test user.
Assign Google Workspace license to your test user
  1. By default Okta suspends the users who is deactivated in Okta, you can check the box “do not suspend user”, ideally leave it unchecked.

  2. Okta can provide your Google Workspace license reporting, you may consider putting “true” to manage licenses on create and update.

  3. Select the license you want Okta to apply to this user (Note – If you do not use Google Workspace, and configuring provisioning for GCP, you can select “Cloud Identity” license at the bottom from this list.

  4. Click on Save and go back.
Assign Google Workspace license if required
  • You should see the application as “Assigned” now, click on Done.
Google Workspace assignment is completed
  • You should give it a few minutes and then go to your Google Admin Console –> Reports –> Admin.

  • You should see that Okta created our test user account in Google and also assigned the license we requested for this user.

If it has been a few minutes and you still do not your test user created, please look at the logs in Okta and in Google. Also, please make sure your Google service account has required permissions.

User should be created in Google via Okta

Scaling our user provisioning

  • After testing our provisioning setup successfully, I will now leverage Okta’s “Group based provisioning” to add all required users to Google directory.
  • Okta supports (i) AD Mastered Groups (ii) Application Mastered Groups and (iii) Okta Mastered Groups for provisioning.
  • Though I personally prefer to go with Okta mastered groups because it allows to define dynamics membership rules (even if/else conditional rules), but let me show you both AD mastered and Okta mastered group assignment below.
  • Click on the toggle below to see configuration for AD mastered group and Okta mastered group.

Option 1 - Use Active Directory Mastered Group

If you already have a group in your Active Directory that includes the users you want to provision to Google (via Okta), then you can simply choose this group.

However, you would need to keep managing this group in Active Directory as Okta would be making changes to Google directory based on this group membership (e.g if someone is removed from this group, Okta would suspend that user from Google)

I personally prefer “Okta Managed” groups which allows more granularity as you see in the toggled section (Option 2) below.

Option 2 - Use Okta Mastered Group (Recommended)

Leveraging Okta mastered groups for provisioning in target app

I personally prefer to go with Okta groups because it allows to define dynamics memberships based rules (even conditional rules).

Let me show you how to create an Okta group, populate it with members based on our condition, and finally use it as a basis for provisioning.

Step 1-: Login to Okta Admin Console and go to Groups as shown below

Go to Groups in Okta

Step 2 – Click on “Add Group” to create a new Okta mastered group

Click on Add Group in Okta

Step 3 – Name your Group and give it a description to it becomes easy to find later

Create a new group in Okta

Step 4 – Create a new Rule

Let us now create a new rule in our Okta group to

Create rule for group membership in Okta

Step 4 – Create a new Rule

  • You can add users to your Okta group either by selecting “Groups Memberships” as we are doing in the screenshot below.

  • You can also use user attributes like user.department = “IT”

  • If you need more flexibility to go granular, you can leverage Okta expressions where you can really combine attributes and groups memberships, and can also use conditionals.

    In this example, I am simply asking Okta to add members of my Active Directory Google Workspace users to my Google Workspace Okta group (this will be dynamic so if i change the group membership in AD, it’ll be in sync at next Okta directory sync run).
Ad group in Okta
  • In this example below, I am using Okta’s expression language to only add members to my Okta Google Workspace group when they are members of Google Workspace group in my Active directory AND if their department is equal to IT.
Okta group based on expression
Go to Google Workspace app assignment tab in Okta

Assign Group for Google Workspace provisioning Scope

  • As our group is now available in Okta (either the AD mastered or Okta mastered group).

  • Its time to assign it to Google Workspace for our provisioning scope as shown in the screenshot below.
Select and assign your AD group to provision Google users via okta

Related Posts