Troubleshooting

ClosedContingency Plan for Disabling SSO

In the case where SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. needs to be disabled between Okta and G Suite immediately, do the following:

  1. Sign in to G Suite using the backdoor URL ([http://www.google.com/a/mydomain.com])
  2. Select Advanced Tools > Set up single sign-on (SSO).
  3. Uncheck Enable Single Sign-on.
  4. Un-specify (blank out) the 3 URL fields.
  5. Select Save Changes.
  6. The username/password login page re-appears for all end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. when they try to access G Suite. There may be a lag of 30 seconds before this appears.
ClosedGoogle API/UI Attribute Inconsistency

Okta attributes are mapped to the Google User Schema in the Google Directory API. In some cases, the Google AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. UI and Contacts appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. UI are inconsistent with this Google User Schema. For example, an attribute value might not show up in the UI, even though it's correctly populated via the API. Additionally, an attribute value entered in the Google Admin UI might not show up in the Google User Schema properly. Google has communicated that they are aware of this inconsistency between UIs and API, and are working to resolve it. In general, query the Directory API directly to determine whether Okta has correctly pushed user profiles to Google. The following provides additional details on the impact of this inconsistency in specific use cases, and how to work around them:

Validate User Data in the Google User Schema

Use Google API Explorer tool to validate user data in the Google User Schema:

  1. Go to: https://developers.google.com/apis-explorer/#s/admin/directory_v1/directory.users.get.
  2. Authenticate Oauth with default scopes.
  3. Enter the primary email of desired user in the userKey field.

User creation in G Suite from Okta

The following G Suite User base attribute values created in Okta and pushed to G Suite will not show up in the Contacts app and Google Admin UI, but they will show up in the API:

  • Second email
  • Street address
  • City
  • State
  • Zip code
  • Country code

User import from G Suite

By default, Okta does not import some user attributes entered via the Google Admin UI. This is because these attribute values are incorrectly exposed in the Google User Schema via API. This issue may get resolved at some point by Google, but the suggested workaround is to use a tool like GAM to reconfigure the attributes values such that Okta can import them. Note that this issue only affects imports from G Suite. Provisioning of attributes from Okta to G Suite works successfully.

Google Admin UI Attribute Name Sample Data entered into Google Sample Data shown in Google User Schema via API Use GAM to reconfigure Sample Data in Google User Schema Attribute will show up in G Suite Base Attribute or Custom Attribute
Secondary Email mailto:myemail@test.com emails: address=myemail@test.com, type=custom, customType="" emails: type=work address=myemail@test.com
  • Work email
Phone (Work) 111-111-1111 phones: type=work value=111-111-1111 no GAM update needed
  • Primary phone
Phone (Home) 111-111-1111 phones: type=home value=111-111-1111 no GAM update needed Add as Custom Attribute:
  • Phones Home Value
Phone (Mobile) 111-111-1111 phones: type=mobile value=111-111-1111 no GAM update needed
  • Phones WorkMobile Value
Address (Work) 301 Brannan St San Francisco, CA 94105 addresses: type=work formatted="301 Brannan St San Francisco, CA 94105" addresses: type=work streetAddress="301 Brannan St" locality="San Francisco" Region="CA" PostalCode="94105"
  • Street address
  • City
  • State
  • Zip code
Address (Home) 301 Brannan St San Francisco, CA 94105 addresses: type=home formatted="301 Brannan St San Francisco, CA 94105" addresses: type=home streetAddress="301 Brannan St" locality="San Francisco" Region="CA" PostalCode="94105" Add as Custom Attributes:
  • addressesHomeStreetAdress
  • addressesHomeLocality
  • addressesHomeRegion
  • addressesHomePostalCode
Employee ID 123 externalIds: type=organization value=123 no GAM update needed Add as Custom Attribute:
  • ExternalIds Organization Value
Manager admin@oktaskylab.net relations: type=Manager value=admin@oktaskylab.net no GAM update needed
  • Manager
Title Sales organizations: title=Sales customType="" organizations: title=Sales type="work"
  • Organizations title
Employee type Engineer organizations: description=Engineer customType="" organizations: description=Engineer customType="work" Add as Custom Attribute:
  • Organizations Work Description
Department Engineering organizations: department=Engineering customType="" organizations: department=Engineering customType="work"
  • Organizations department
Cost Center EN101 organizations: costCenter=EN101 customType="" organizations: costCenter=EN101 customType="work"
  • Organizations costCenter

User import from Google, and then subsequent update from Okta

For a G Suite User who was originally created in Google Admin UI, updating their profile in Okta will not overwrite attribute values that were originally populated in G Suite UI and to which Okta does not explicitly map to. For example, if "Cost Center" attribute is first filled out in Google Admin UI, then updating "Organizations costCenter" in Okta will not result in a Google Admin UI update. By contrast, if "Phone (Work)" attribute is first filled out in Google Admin UI, then updating "Primary phone" in Okta will result in an update in the Google Admin UI.

ClosedKnown Issues/Common Errors

  • Multi-word Attributes

    The Search bar in People > Profile Editor > G Suite User > Add Attribute sequence cannot search for multi-word attribute names that contain spaces.

  • Separate Primary Email Attribute

    The G Suite User profile shows a separate Primary Email attribute. This is because the G Suite instance was created prior to the January 2015 GA update and is a deprecated implementation. A best practice is to setup a brand new G Suite instance in your Okta orgThe Okta container that represents a real-world organization., and de-activate the old one. If this is not feasible, it is OK to continue using the existing G Suite instance, but do not map any Okta user attribute to the G Suite User Primary Email attribute.

  • Contacts App does not appear

    After provisioning a user to G Suite, the Contacts app does not show the updated user profile. This is expected behavior as it takes up to 24 hours for updated values to appear in the G Suite Directory section of the Contacts app.

  • How are Google groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. affected by Okta?

    Okta imports a user's groups when they are imported from Google Apps or when their Google Apps account is assigned to their Okta account. Once a user is imported or assigned, updates to groups in Google Apps are not reflected in Okta.

    Select Push Okta user profiles to Google Apps to have group changes made within Okta pushed to Google Apps.

  • Import Errors

    If new org units are added in Google, you may need to refresh your application data before running an import or else you may receive the following error:

    Field error in object ‘GoogleAppBaseProfile’ on field ‘orgUnitPath’: rejected value

  • Custom Schema Attributes are not showing up

    If you're using Enhanced Schema DiscoveryAbility to import additional attributes to Okta for G Suite application, but don't see any new attributes coming to Okta in the Profile Editor, you need to re-authenticate on Provisioning tab, to allow Okta to import custom schemas from G Suite.

    To do this, go to the Provisioning tab, then select API Integration and re-authenticate.

  • Errors during profile updates

    If you're using Enhanced Schema Discovery for G Suite application, and you have imported and assigned some properties from a custom user schema in G Suite, and after that you removed that custom user schema from G Suite, you may see the following error (New_UserSchema on the screenshot below is that deleted schema from G Suite):

    To resolve this error you need to manually remove custom properties from Okta's G Suite user in Profile Editor.

    • gsuite_newe.png

ClosedAdditional Information
Top

© 2019 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.