Google Email Alias Support
When enabled, new users pushed from Okta to Google will have any additional email aliases automatically populated in Google. When performing an import from Google, newly imported users will have their email aliases pulled in from Google and set on the emailAliases property of the Google appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. user. If profile mastering for Google is enabled, existing users will also get their emailAliases attribute updated when an import from Google is run.
To enable email alias functionality with existing Google app instances you need add the emailAliases property to your app instance’s schema as follows:
In Okta, navigate to Directory > Profile Editor.
Click Add Attribute.
Click Refresh Attribute List.
At this point emailAliases should be available to be added to your instance.
Select emailAlias, then click Save.
Subsequent user push and import operations will now be email alias aware. If the emailAliases property is unmapped to the Okta user, then upon app assignment you will be prompted on the App Assignment screen to optionally add email aliases prior to Okta pushing the user to Google.
Note: If Okta is configured to G Suite Update User Attributes and the emailAliases G Suite attribute has not been mapped to an Okta attribute, Okta will replace existing G Suite email alias values with a blank value. We therefore highly recommend utilizing Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API. to establish an Okta > G Suite attribute mapping that will populate the emailAliases attribute with a value from the Okta profile. Refer to About Attribute Mapping for more details.
If mapped to the Okta user, aliases can then be pushed/pulled from/to Google and other apps like any other property.
Google enforces that the domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). name of every email alias must be registered and verified within Google first. Therefore pushing an unverified domain to Google will result in an error.
Google enforces a maximum limit of 30 aliases.
For additional information see: https://developers.google.com/admin-sdk/directory/v1/guides/manage-user-aliases.
Okta will need to make additional API calls to fetch, create and update email aliases and these calls will count against your Google API Quotas.
On User Push to Google, Okta only reconciles addresses once a value has been assigned to the app user’s emailAliases property. Once a value is populated, even with an empty value, it will be pushed and overwrite Google.
For all users, both the username and email alias need to be unique values.