How to Map orgUnitPath for AD to G-suite Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Sean DoyleSean Doyle 

How to Map orgUnitPath for AD to G-suite

I want to map AD OU to orgUnitPath in okta but I can not find the right expression. This has to be possible but it eludes me
Goldy AroraGoldy Arora
My understanding is that the reference based attributes for the G Suite (orgUnitPath) that you see in the profile editor are not something you can custom map.

So you may consider group based mapping, for e.g 
1. Create the groups in AD for all the OUs that you want to map in G Suite.
2. Go to G Suite Application in Okta
3. Click on Assignment Tab --> Assign by Group
4. Here you'll do static mapping, for example marketing group in AD should be mapped to Marketing OU in G Suite
5. Define the proirity of your group assignments to ensure user moves in AD should correctly reflect in G Suite.

Though you can also do static AD OU to G Suite OU mapping, but above group based mapping will give you more flexibility as the whole reason of creating OU in G Suite is to apply different permisssions/access to services.

Static AD OU to G Suite OU, showing you one OU (ABC) mapping, you can more the same way-:
1. Create a Group named ABC in Okta --> and populate it with the group rule which says "any user whom DN includes the string OU=ABC,dc=ad,dc=goldyarora,dc=com --> put that user in this ABC.
2. Then I have G Suite application assigned to this group which says "If user is a part of this ABC group --> then assign him G Suite and put him in "ABC" OU.
Costel CurcaCostel Curca (Okta, Inc.)
Hi Sean, My name is Costel from Okta support.
If your comapny's requirement is to have the Org unit from AD mapped to G Suite, as Goldy mentioned that is possible.
You can do it from the profile editor but an expression must be used to strip out extra information.
We have this OU path in AD
EX: domain.local/OU/
You can use "/" + String.substringAfter("/")  as an expression to strip out the domain and add / at the beginning. This will give you a clean value EX: /OU which can be then pushed to G Suite. If you need more infroamtion please reply on the ticket that you ahve opened with Okta support.