Greetings -

I am in the process of setting up Okta for a startup business. We've implemented Okta as our identity provider in our web application and are in the process of implementing it in our APIs as well. That is all going fine.

We've just now secured our domain name and I'm about to setup G Suite for our employees. To date (and I imagine for the foreseeable future) - we have *no* local network or applications whatsoever. To that end, there's no real need for me standing up a local (or even cloud) Active Directory tenant and all that jazz.

So that brings me to the point of my question. After a lot of reading, I feel like the best path forward is to make Okta Universal Directory my source of truth for all user data. Of course it already is for our web application users (i.e. customers), so I feel like it would only make sense to do that for our employees as well. I'd then configure Okta->Google integration via SAML, and our employees would always and only ever login to the Okta login page essentially. Then I could manage all profile data from a central place.

The other option is to use Google Identity as the source of truth for our employee data, and integrate in reverse of what I described (Google pushes the identities back to Okta).

Are there any major pros/cons for either approach that I'm not thinking about? Once I move forward, would I manage things like Groups in Google or in Okta? I suppose that doesn't matter as the integration is bi-directional, but I'm hoping some of you folks out there could provide some insight.

Thanks in advance!