Before you configure your provisioning settings for Google Apps, you must sign in to your Google Apps Admin console, and then select Domain Settings > User Settings and turn on Enable Provisioning API.
To configure your provisioning settings for Google Apps, perform the following steps:
- From the Administrator Dashboard, select Applications and then select Google Apps from your applications list.
- Click the Provisioning tab and then click the Edit button.
- Select the Enable provisioning for Google Apps check box.
- Enter you Google Apps API credentials, and click Test API credentials
Note: These credentials are your Google Apps administrator username used to manage your Google Apps domain and password. If your username is email@example.com, enter bob.
Choose your Google Apps provisioning features:
- Provision new Google apps accounts from Okta – This means you can assign Google Apps to users directly from Okta, and a Google Apps account is automatically created if one does not exist. Okta does not create a new account if it detects that a username specified in Okta already exists in Google Apps.
Note: If you want to push new users to Google Apps or update their information in Google Apps, you must enable the User Provisioning API within Google Apps. You can find this under Domain Settings – User Settings in the admin panel of your Google Apps domain.
- Push Okta user profiles to Google Apps – This means you can have Okta update a user's Google profile and group information when the app is assigned. Profile changes made directly in Google are overwritten with the corresponding Okta profile values.
- Deprovision unassigned Google app accounts – With this option enabled, Okta automatically deactivates users' Google apps accounts when you unassign the app in Okta or deactivate users' Okta accounts. Okta also reactivates the Google apps account if it is reassigned to a user in Okta.
- Push Okta password to Google apps – This synchronizes users' Okta passwords with Google apps. With this option, your Google Apps password is always the same as your Okta password. Whenever you change your password in Okta, the new password is pushed to Google apps.
Note: Okta password policy should match Google's requirements in order for provisioning to work.
After you configure your provisioning settings and are ready to test them, make sure you have signed out of the Google user account with which you are testing provisioning.