Configuring Provisioning for G Suite (formerly Google Apps) Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000ay2tkaw&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2f28208416-configuring-provisioning-for-google-apps
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Configuring Provisioning for G Suite (formerly Google Apps)
Published: Jan 10, 2015   -   Updated: Jun 22, 2018


Before you configure your provisioning settings for G Suite (formerly known as Google Apps), you must sign in to your G Suite Admin console, and then select Domain Settings > User Settings and turn on Enable Provisioning API

Note: enabling Provisioning for a G Suite application that is currently in production will NOT retroactively enable provisioning for users who are currently assigned to the application.  This is because provisioning utilizes the External ID attribute, which is only populated when provisioning is enabled prior to users assignment.  Unassigning these users from the application and then reassigning them once provisioning has been configured will successfully populate the External ID attribute.

To configure your provisioning settings for G Suite, perform the following steps:

  1. From the Administrator Dashboard, select Applications and then select G Suite from your applications list.
  2. Click the Provisioning tab and then click the Edit button.
  3. Select API Integration from the Settings column on the left of the page
  4. click Edit
  5. Enter you Google Apps API credentials, and click Test API credentials

    Note: 
    These credentials are your G Suite administrator username used to manage your G Suite domain and password.  If your username is bob@mycompany.com, enter bob.
  6. click To App in the Settings column to choose your G Suite provisioning features:

  • Create Users – This means you can assign G Suite to users directly from Okta, and a G Suite account is automatically created if one does not exist. Okta does not create a new account if it detects that a username specified in Okta already exists in G Suite. 

    Note: If you want to push new users to Google Apps or update their information in G Suite, you must enable the User Provisioning API within G Suite. You can find this under Domain Settings – User Settings in the admin panel of your G Suite domain.

  • Update User Attributes – This means you can have Okta update a user's Google profile and group information when the app is assigned. Profile changes made directly in Google are overwritten with the corresponding Okta profile values.
  • Deactivate Users  With this option enabled, Okta automatically deactivates users' G Suite accounts when you unassign the app in Okta or deactivate users' Okta accounts. Okta also reactivates the G Suite account if it is reassigned to a user in Okta.
  • Sync Password – This synchronizes users' Okta passwords with G Suite. With this option, your G Suite password is always the same as your Okta password. Whenever you change your password in Okta, the new password is pushed to G Suite.

    Note: Okta password policy should match Google's requirements in order for provisioning to work. 

After you configure your provisioning settings and are ready to test them, make sure you have signed out of the Google user account with which you are testing provisioning.