r2wib (r2wib) asked a question.
Hi Community users,
I'm seeking assistance in ALM, which is NOT working for me.
My users are mastered by AD (importing to Okta) and then provisioning the same to GSuite. The simple use case here is - I want, couple of attributes (second email, mobile phone etc) to be mastered by GSuite. So that, when a user updates under their GSuite profile, the same should update in Okta.
I have already made GSuite as a profile master, mapped the attributes to okta attributes. Under Okta User profile, I have already made the attributes to Over-ride profile master and set GSuite as the Master Priority. However, when we change the attribute value at GSuite profile, this is NOT reflecting in Okta. Not sure, if I'm missing anything here.
Support is asking me to do 'Import Users', however I do NOT understand why should I import users to reflect the changes.
Please assist me if anyone had a similar use-case.
Seems you have done all right but lets recheck the configuration again - As you dont want to import user from GSuite, make sure that
If the matching criteria "Email address" matches then i dont think so you need to import in back from G Suite. You may ask to Okta support that - if user matching criteria is matching perfectly then why you need to import it back from G Suite.
Thanks,
Saurabh
Hi Saurabh,
Thanks for responding to my query. I have rechecked the points 1 to 4 multiple times and all seems to be configured as intended. Not sure, but the update from GSuite to Okta is NOT happening.
I have already asked support team on 'Why should I import users from GSuite (dint understand the logic, as Okta provisioned the user to GSuite)' and as usual they are taking time to respond.
If I do a manual import from GSuite to Okta, the updates are being pushed to Okta. But I do not think this is ALM, where an admin has to manually import to push the updates.
Under the provisioning tab, what do you have checked for Okta --> GSuite and GSuite --> Okta?
https://help.okta.com/en/prod/Content/Topics/Provisioning/Google/google-provisioning.htm
Hi Sandeep,
AFAIK, GSuite doesn't support Attribute Level Mastering (ALM). You have to allow the provisioning from OKTA. Have you double checked this with your Google Support ?
Hi Sandeep, if you are unwilling to import the changes from GSuite into Okta, how would you expect Okta to know about the changes made? Similar to AD, Okta needs to run imports to see/update the changes. As long as your attributes are properly mastered, and you are not set to "create" new users on import, there should be no issues running scheduled imports to get these updated values. You would definitely want to test in a sandbox environment first, to make sure the configuration is all set.
Thanks All for your valuable suggestions...
However as per Okta support, I have to enable 'Schedule Import' in the 'GSuite to Okta' provisioning tab. Attributes mastered by GSuite App would NOT be updated until that is enabled.
I'm NOT convinced with the implementation flow, but have to agree with Support to make configs working. I have to make sure NO new users are imported from GSuite to Okta.