We are looking to change our Google Primary domain. Has anyone out there gone through this process? We are looking for some insight behind what the process looks like on Okta's end. Do we have to kill the current connector and create a new connector? Any feedback on this would be very helpful.
You don't have to delete the current one but a new one will have to be created. It mostly depends on what was imported. If the membership is based on the groups, for example: When you will be re-creating the groups in Google apps the user membership will update. To ensure that they will not be loosing access to any applications or get deprovisioned here is what I suggest: Create Okta groups that will mirror the G Suite groups you will be removing to hold the user app memberships and once the groups are imported from the new G Suite then you can allow them to hold the group assigments. The steps will be something like this:
-Create Okta groups to mirror the groups from "domain A", for "group 1" in domain create an okta group like "okta group 1" and do this for all groups from that domain -Create group rules to add user assignments, it can be done by accessing from Okta directory>Groups>Rules>Add rule Name the rule and have the expression be something like: IF group membership any of "group 1" then assign to "okta group 1" and save it like that. Repeat the process for all groups. -Assign the applications(Including and attributes to mirror the ones currently in place for the "domain A" groups to all Okta created groups. -Activate rules from Okta directory>Groups>Rules so the users will be assigned to the groups in Okta, once the users are moved deactivate the rules and you can delete the groups from "domain A", the Okta groups should hold the application assignments preventing the users from deprovision, -Once that`s done import the groups from "domain B" and add the groups and attributes to them ad it was done before the Okta groups, -Once the assignments are correctly setup you can remove the Okta groups as well.