Okta and Google Workspace can be configured for Single Sign-On (SSO) and provisioning, allowing users to access Google Workspace apps with their Okta credentials and automatically creating, updating, or deactivating user accounts in Google Workspace based on Okta’s user lifecycle management.
Let’s walk through a common setup scenario, focusing on the core components and how they interact.
Scenario: Setting up SSO and Provisioning for a New Company
Imagine a new company, "Acme Corp," has just adopted Google Workspace for their email and productivity suite. They also use Okta as their central identity provider. They want their employees to log into Gmail, Drive, Calendar, etc., using their Okta credentials, and they want new hires’ Google Workspace accounts to be created automatically when they’re added to Okta, and deactivated when they leave.
1. Okta as the Identity Provider (IdP)
Okta will be the source of truth for user identities. When a user tries to access a Google Workspace application, Okta will authenticate them and then assert their identity to Google Workspace.
2. Google Workspace as the Service Provider (SP)
Google Workspace will trust Okta for authentication. When Okta sends an assertion (a SAML response), Google Workspace will verify it and grant the user access.
3. Single Sign-On (SSO) Configuration
This is the process where Okta tells Google Workspace who the user is.
-
In Okta:
- Navigate to Applications > Applications.
- Click Browse App Catalog and search for "Google Workspace."
- Click Add Integration.
- On the General Settings tab, enter the Sign-on options. For SSO, you’ll typically choose SAML 2.0.
- Crucially, under Advanced Sign-on Settings, you’ll configure how Okta maps user attributes to Google Workspace. The most important is
email(orusernamedepending on your Okta setup), which must match the user’s primary email address in Google Workspace. You might also mapfirstName,lastName,department, etc. - Save the application.
- Go to the Sign On tab for the Google Workspace application and click View SAML setup. Here you’ll find the Identity Provider Single Sign-On URL, Identity Provider Issuer, and the X.509 Certificate. You’ll need these for the Google Workspace side.
-
In Google Workspace:
- Log in to the Google Admin console as a super administrator (
admin.google.com). - Navigate to Security > Authentication > SSO with third-party SAML providers.
- Check the box for Set up SSO with a third-party identity provider.
- Enter the Sign-in page URL from Okta.
- Enter the Sign-out page URL from Okta.
- Enter the Verification certificate by uploading the X.509 certificate you downloaded from Okta.
- Enter the Change password URL from Okta. This is important for users to change their password in Okta and have it propagate.
- You can choose to enforce SSO for specific organizational units (OUs) or for everyone.
- Save the configuration.
- Log in to the Google Admin console as a super administrator (
Now, when a user tries to access a Google Workspace app (e.g., mail.google.com), they’ll be redirected to Okta for login. After successful authentication in Okta, they’ll be redirected back to Google Workspace and logged in.
4. Provisioning Configuration
This automates user account management in Google Workspace based on Okta’s user lifecycle.
-
In Okta:
- Go back to your Google Workspace application in Okta.
- Navigate to the Provisioning tab.
- Under API Integration, click Configure API Integration.
- Click Authenticate with Google Workspace. This will initiate a OAuth 2.0 flow, prompting you to log in as a Google Workspace super administrator and grant Okta the necessary permissions.
- Once authenticated, Okta will display the granted permissions. Click Save.
- Now, under Provisioning to App, you can enable Create Users, Update User Attributes, and Deactivate Users.
- Go to the To App tab under Settings. Here you map Okta user attributes to Google Workspace user attributes. For example:
- Okta
firstNameto Google WorkspaceGiven Name - Okta
lastNameto Google WorkspaceFamily Name - Okta
email(or a specific Okta attribute holding the primary email) to Google WorkspacePrimary Email - Okta
departmentto Google WorkspaceOrganization Unit(this is powerful for assigning users to specific OUs in Google Workspace based on their department in Okta).
- Okta
- Save these mappings.
- Finally, go to the Push Groups or Push Users section (depending on your Okta version and configuration) and assign the relevant Okta groups or individual users to be provisioned to Google Workspace.
-
In Google Workspace:
- No direct configuration is needed in Google Workspace for provisioning from Okta. Okta’s API calls handle the creation, update, and deactivation directly. However, ensure the super administrator account used for the OAuth connection has the necessary privileges to manage users.
With provisioning enabled:
- When you add a new user to Okta and assign them to the Google Workspace app, Okta will automatically create their user account in Google Workspace.
- If you update a user’s
firstNameordepartmentin Okta, those changes will be pushed to their Google Workspace profile. - When you deactivate a user in Okta or remove them from the Google Workspace app, Okta will suspend or delete their Google Workspace account.
The One Thing Most People Don’t Know
The "Organization Unit" mapping in Okta’s provisioning settings is incredibly powerful for automating your Google Workspace structure. By setting up a rule that maps an Okta user attribute (like department, location, or even a custom attribute) to the Google Workspace Organization Unit, you can ensure that new hires are automatically placed into the correct OU in Google Workspace, inheriting the specific policies and app access assigned to that OU. This means a user created in Okta as "Marketing" can automatically land in the "Marketing" OU in Google Workspace, getting their marketing-specific apps and policies applied without manual intervention.
Next Steps
Once SSO and provisioning are working, you’ll likely want to explore advanced features like group provisioning, managing licenses, and implementing conditional access policies in Okta to further refine access to Google Workspace applications.