<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007K8x9FCAROkta Classic EngineAdministrationAnswered2021-12-07T23:14:07.000Z2021-12-07T18:02:52.000Z2021-12-07T23:14:07.000Z

MontroseI.58592 (Customer) asked a question.

December 7, 2021 at 6:02 PM
Deprovision Okta users Automatically - Using Google as IdP for Okta

I set Google up as and IdP for Okta using SAML. This works well, once the user is set up in Google Workspaces they can automatically sign in and their Okta account is created.

 

However, deleting the user does not de-activate or de-provision user. It does remove their access since they're no longer able to sign in via Google but the account stays active in Okta. Is there a way to deactivate an account on the Okta end once they're removed in Google?

 

Additonally, how can I force everyone to only sign in via Google. We've got several manually created accounts that I'd like to move over to Google sign-in.

  • 2 answers
  • 529 views

  • User16254393570754125507 (Okta)

    Hello @MontroseI.58592 (Customer)​,

     

    Thanks for posting. 

     

    When a user is deactivated within Google Workspace, you can choose what action Okta will take against the matching Okta user by using the Profile and Lifecycle Sourcing options.

     

    Deactivate: The Okta user will become deactivated and will no longer be able to log in or access Okta. If re-activated in Google Workspace in the future, the Okta user will go through the re-activation process in Okta. The user will need to go through the initial Okta user setup steps again.

     

    Please refer to the following document on the section Configure Profile and Lifecycle Mastering:

     

    https://help.okta.com/en/prod/Content/Topics/Provisioning/Google/google-provisioning.htm

     

    Additionally, how can I force everyone to only sign in via Google.

     

    New users created in the third-party application will be downloaded and turned into new AppUser objects, for matching against existing OKTA users.

     

    Specifically: This is an implicit feature when provisioning is configured - meaning with the username/password set up and verified. Import allows Okta to map active Google accounts to an Okta user. This is usual for the initial app assignment bootstrap. CSV can also be used for file-based account mapping - similar to what API import can do.

     

    Let us know if this helps.

     

    Regards,

     

    Natalia

    Okta Inc.

    Expand Post

  • MontroseI.58592 (Customer)

    Hi Natalie the documentation appears to be geared towards setting up Okta to provision/deprovision accounts in Google. I want the opposite of that. I don't want Okta changing anything on the Google side.

     

    Right now I only have Google set up as IdP using SAML and no app installed. All of the provisioning stuff looks like it's in the app?

     

    Do you have any clearer documentation?

    Expand Post
This question is closed.
Loading
Deprovision Okta users Automatically - Using Google as IdP for Okta