In the case where SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. needs to be disabled between Okta and G Suite immediately, do the following:
- Sign in to G Suite using the backdoor URL ([http://www.google.com/a/mydomain.com])
- Select Advanced Tools > Set up single sign-on (SSO).
- Uncheck Enable Single Sign-on.
- Un-specify (blank out) the 3 URL fields.
- Select Save Changes.
- The username/password login page re-appears for all end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. when they try to access G Suite. There may be a lag of 30 seconds before this appears.
Okta attributes are mapped to the Google User Schema in the Google Directory API. In some cases, the Google AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. UI and Contacts appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. UI are inconsistent with this Google User Schema. For example, an attribute value might not show up in the UI, even though it's correctly populated via the API. Additionally, an attribute value entered in the Google Admin UI might not show up in the Google User Schema properly. Google has communicated that they are aware of this inconsistency between UIs and API, and are working to resolve it. In general, query the Directory API directly to determine whether Okta has correctly pushed user profiles to Google. The following provides additional details on the impact of this inconsistency in specific use cases, and how to work around them:
Validate User Data in the Google User Schema
Use Google API Explorer tool to validate user data in the Google User Schema:
- Go to: https://developers.google.com/apis-explorer/#s/admin/directory_v1/directory.users.get.
- Authenticate Oauth with default scopes.
- Enter the primary email of desired user in the userKey field.
User creation in G Suite from Okta
The following G Suite User base attribute values created in Okta and pushed to G Suite will not show up in the Contacts app and Google Admin UI, but they will show up in the API:
- Second email
- Street address
- Zip code
- Country code
User import from G Suite
By default, Okta does not import some user attributes entered via the Google Admin UI. This is because these attribute values are incorrectly exposed in the Google User Schema via API. This issue may get resolved at some point by Google, but the suggested workaround is to use a tool like GAM to reconfigure the attributes values such that Okta can import them. Note that this issue only affects imports from G Suite. ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. of attributes from Okta to G Suite works successfully.
|Google Admin UI Attribute Name||Sample Data entered into Google||Sample Data shown in Google User Schema via API||Use GAM to reconfigure Sample Data in Google User Schema||Attribute will show up in G Suite Base Attribute or Custom Attribute|
|Secondary Email||mailto:firstname.lastname@example.org||emails: email@example.com, type=custom, customType=""||emails: type=work firstname.lastname@example.org||
|Phone (Work)||111-111-1111||phones: type=work value=111-111-1111||no GAM update needed||
|Phone (Home)||111-111-1111||phones: type=home value=111-111-1111||no GAM update needed||Add as Custom Attribute:
|Phone (Mobile)||111-111-1111||phones: type=mobile value=111-111-1111||no GAM update needed||
|Address (Work)||301 Brannan St San Francisco, CA 94105||addresses: type=work formatted="301 Brannan St San Francisco, CA 94105"||addresses: type=work streetAddress="301 Brannan St" locality="San Francisco" Region="CA" PostalCode="94105"||
|Address (Home)||301 Brannan St San Francisco, CA 94105||addresses: type=home formatted="301 Brannan St San Francisco, CA 94105"||addresses: type=home streetAddress="301 Brannan St" locality="San Francisco" Region="CA" PostalCode="94105"||Add as Custom Attributes:
|Employee ID||123||externalIds: type=organization value=123||no GAM update needed||Add as Custom Attribute:
|Manageremail@example.com||relations: type=Manager firstname.lastname@example.org||no GAM update needed||
|Title||Sales||organizations: title=Sales customType=""||organizations: title=Sales type="work"||
|Employee type||Engineer||organizations: description=Engineer customType=""||organizations: description=Engineer customType="work"||Add as Custom Attribute:
|Department||Engineering||organizations: department=Engineering customType=""||organizations: department=Engineering customType="work"||
|Cost Center||EN101||organizations: costCenter=EN101 customType=""||organizations: costCenter=EN101 customType="work"||
User import from Google, and then subsequent update from Okta
For a G Suite User who was originally created in Google Admin UI, updating their profile in Okta will not overwrite attribute values that were originally populated in G Suite UI and to which Okta does not explicitly map to. For example, if "Cost Center" attribute is first filled out in Google Admin UI, then updating "Organizations costCenter" in Okta will not result in a Google Admin UI update. By contrast, if "Phone (Work)" attribute is first filled out in Google Admin UI, then updating "Primary phone" in Okta will result in an update in the Google Admin UI.
The Search bar in People > Profile Editor > G Suite User > Add Attribute sequence cannot search for multi-word attribute names that contain spaces.
Separate Primary Email Attribute
The G Suite User profile shows a separate Primary Email attribute. This is because the G Suite instance was created prior to the January 2015 GA update and is a deprecated implementation. A best practice is to setup a brand new G Suite instance in your Okta orgThe Okta container that represents a real-world organization., and de-activate the old one. If this is not feasible, it is OK to continue using the existing G Suite instance, but do not map any Okta user attribute to the G Suite User Primary Email attribute.
Contacts App does not appear
After provisioning a user to G Suite, the Contacts app does not show the updated user profile. This is expected behavior as it takes up to 24 hours for updated values to appear in the G Suite Directory section of the Contacts app.
Okta imports a user's groups when they are imported from Google Apps or when their Google Apps account is assigned to their Okta account. Once a user is imported or assigned, updates to groups in Google Apps are not reflected in Okta.
Select Push Okta user profiles to Google Apps to have group changes made within Okta pushed to Google Apps.
If new org units are added in Google, you may need to refresh your application data before running an import or else you may receive the following error:
Field error in object ‘GoogleAppBaseProfile’ on field ‘orgUnitPath’: rejected value
Custom Schema Attributes are not showing up
If you're using Enhanced Schema DiscoveryAbility to import additional attributes to Okta for G Suite application, but don't see any new attributes coming to Okta in the Profile Editor, you need to re-authenticate on Provisioning tab, to allow Okta to import custom schemas from G Suite.
To do this, go to the Provisioning tab, then select API Integration and re-authenticate.
Errors during profile updates
If you're using Enhanced Schema Discovery for G Suite application, and you have imported and assigned some properties from a custom user schema in G Suite, and after that you removed that custom user schema from G Suite, you may see the following error (New_UserSchema on the screenshot below is that deleted schema from G Suite):
To resolve this error you need to manually remove custom properties from Okta's G Suite user in Profile Editor.