Google email alias support

When enabled, new users pushed from Okta to Google Workspace will have any additional email aliases automatically populated in Google. When performing an import from Google, newly imported users will have their email aliases pulled in from Google and set on the emailAliases property of the Google app user. If profile sourcing for Google is enabled, existing users will also get their emailAliases attribute updated when an import from Google is run.

Overview

• Google enforces that the domain name of every email alias must be registered and verified within Google first. Therefore pushing an unverified domain to Google will result in an error.
• Google enforces a maximum limit of 30 aliases.
• For details, see: Google Directory API documentation.
• Okta will have to make additional API calls to fetch, create, and update email aliases, and these calls will count against your Google API Quotas.
• On User Push to Google, Okta only reconciles addresses after a value has been assigned to the app user's emailAliases property. After a value is populated, even with an empty value, it will be pushed and overwrite Google.
• For all users, both the username and email alias need to be unique values.

Procedure

To enable email alias functionality with existing Google Workspace app instances, you have to add the emailAliases property to your app instance schema:

1. In Okta, go to DirectoryProfile Editor.

2. Click the Profile edit icon.

3. Click Add Attribute.

4. Click Refresh Attribute List.

   At this point, emailAliases should be available to be added to your instance.

5. Select emailAliases, then click Save.

6. You must now map the attribute to Okta User Profile. To do this, go to Google Workspace attribute mapping.

Subsequent user push and import operations will now be email alias aware.