00uwkv708yXHWCXNNMH1.4207638486406545E12 (Customer) asked a question.
We are using Okta to manage all provisioning, deprovisioning, and user management for our Google domain. Most of our users hold basic Google Cloud Identity licenses, but a subset of users have Google Workspace (G Suite Basic) licensing as well. To manage the paid Workspace licenses, we have an OU set up in Google with auto-licensing turned on (called "Google Workspace Users").
We want to use Okta groups to manage users and license assignment - assigning all users to Google by default, but adding Workspace licenses to those that need them through a special group This is how we have it set up currently, with the licensed users group taking priority over the unlicensed users group:
And the Google Workspace Licensed Users Okta group mapped to the corresponding Google OU, with auto-licensing turned on:
From what we have read, this should work. But it only seems to apply the OU mapping for new users being assigned to Google for the first time. If the user already exists, it doesn't update the mapping. Since all of our users exist in Google by default, it means we can't control the OU membership from the Okta side and must go into Google and manually move users from one OU to another to grant a license.
Is this expected? Has anyone else run across this?
I haven't run into this specific problem and theoretically it does seem like it should work. We map to Google OUs using an attribute. So all our users are assigned to G-Suite via a single group (and in the settings for that group we just have the users at the top-level OU). And then each user has a different OU in the "Office" field which is mapped to OUs. When the user is created or the account modified, it checks against the attribute and puts it in the correct OU.
What we have noticed is that some users are getting assigned to the top-level domain and we have to do a force sync (from the app Provisioning tab) or make an arbitrary change in the user profile to get it to move to its proper OU. We have a ticket open about this so we don't have an answer about why this is happening, but I am guessing it is some conflict between the group assignment versus the profile assignment and which gets priority during a sync. That may be a clue as to what is happening in your case.
For instance, maybe you need to do something to force it to recheck against the group assignment. As a test, you could take an existing user and unassign it from G-Suite via the group and then re-assign it and see if goes into the right workplace.
@ConanP.47433 (Greenpeace International) is this still working for you?
I have a very similar use-case as you and am passing the orgUnitPath value with an Expression (a valid OU String). When assigning the application to an Okta Group, the OU stays with the initial OU selected from the drop-down. Arbitrary profile updates and Force Syncs don't help, and Create and Update is selected for the attribute.
When assigning to an Individual the Expression, instead of a Group, this works as expected.
I am having the same issue where I everyone in most of my Okta groups are assigned to the root OU as a Cloud Identity Free license but there are some users that also need a workspace license but when i assign them to the Okta group(with Enterprise plus checked) and even created an OU called Google Workspace, the users are never moved to the OU and never get the license.