Open in app

Sign in

Write

Sign in

Okta Integration with Cloud Identity

Nimisha Jain
Google Cloud - Community
Published in
7 min readFeb 28, 2023

TL;DR Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. You can configure Cloud Identity to federate identities between Google and other identity providers, such as Okta, Active Directory and Azure Active Directory.

While Google offers Cloud Identity to manage corporate identities and security feature enforcements, it also understands that customers may have existing identity solutions already in place and it might not be a good idea to use Cloud Identity for cloud needs specifically .

The goal of this post is to integrate your existing identity store with Cloud Identity which will then enable you to have access to Google services such as GCP and Google Workspace.

We will understand how to set up Okta as an Identity Provider (IdP) for Cloud Identity.

Recommended Setup

  • Configure SAML between Okta and Google.
  • Enable provisioning and have all the options enabled.
  • Enable password push which synchronizes a user’s Okta password with their Google Workspace password. A password is still needed for clients such as POP3/IMAP clients for email.
SAML between Okta and Google

Available App Integrations for Google Cloud

Currently Okta offers two types of applications to integrate with Cloud Identity and we will see what each of these offers:

  1. Google Workspace
  2. Google Cloud Platform

Both the app integration offers somewhat similar services with few differences. Below is the features offered by each of the applications:

Differences between two app integrations

For our use-case, we will install Google Workspace application which would allow us to provision users in Cloud identity followed by establishing federation so that the users can continue to login via their Okta credentials via the SAML token exchange.

Pre-requisites

  1. Access to Cloud Identity portal or have Super Admin privileges or any Custom role with privileges to configure SSO under Security
  2. Admin access to Okta account

Note: You can create a trial Okta account by going to Okta.com and registering for a Free Trial account if you want to perform the proof of concept as per this article.

We will divide the module into following steps:

  1. Add a Google Workspace app instance and configure SSO
  2. Configure Google Workspace provisioning
  3. Configure Profile and Lifecycle sourcing
  4. Assign users to the Google Workspace app (optional)
  5. Assign groups to the Google Workspace app and enable Group Push
  6. Verify Users/Groups provisioned in Cloud Identity
  7. Test SSO by logging into Cloud Identity/GCP via the above users
  8. Test deactivation

Add a Google Workspace app instance and configure SSO

  1. Login to Okta Account as an Administrator, in the Admin Console, go to Applications > Applications.
  2. Click Browse App Catalog and Search for Google Workspace application and click Add on the details page.
  3. Fill in the General Settings and Sign-on method as SAML, refer to screenshots below
Configure General Settings
Configure Sign-On

4. Configure Single Sign-on using third party IdP in the Cloud Identity portal by following the View Setup Instructions link visible in the above screenshot. Note: This would require you to have super admin privileges

Sign-on Settings on Google Admin Portal

5. Click Done once completed the SAML setup

Ensure to select correct SSO Profile

Configure Google Workspace provisioning

Configure your Provisioning settings for Google Workspace as follows:

  1. In Okta, select the Provisioning tab for the Google Workspace app, then click Configure API Integration.
  2. Check Enable API integration, then click Authenticate with Google Workspace.
Authenticate with Google Workspace

3. Enter your Google Workspace Admin account credentials, then click Login
Enter your admin username.
Enter your admin password.

4. Review the list of permissions Google will grant Okta to perform in your Google Workspace tenant. If acceptable click Allow

5. Back on the Provisioning page in Okta you’ll see messages confirming successful authentication. Click Save.

6. Select To App, then select the Provisioning features you want to enable, then click Save. (Recommendation is to enable all the options.)

Configure Provisioning

Configure Profile and Lifecycle sourcing

  1. Select To Okta, then select Allow Google Workspace to source Okta users.
  2. When a user is deactivated in Google Workspace, you can choose what action Okta takes against the matching Okta user by using the Profile and Lifecycle Sourcing options.
  3. The options for when a user is deactivated in the app are:
  • Do nothing: Google Workspace is unassigned from the Okta user.
  • Deactivate: The Okta user is deactivated and is no longer be able to sign in or access Okta. If re-activated in Google Workspace in the future, the Okta user will go through the re-activation process in Okta. The user will go through the initial Okta user setup procedure again.
  • Suspend: The Okta user is suspended and is no longer be able to sign in or access Okta. If re-activated in Google Workspace in the future, the user will become re-activated in Okta and no further steps are needed. The Okta user can sign in to Okta.

Usually, User Deactivation from all the identity sources is the recommended and followed method.

Assign groups to the Google Workspace app and enable Group Push

  1. Navigate to Assignments tab and click on Assign -> Assign to Groups, Select the Groups you want to push to Cloud Identity
Assign application to the Groups

2. Another window will open to configure the settings, Choose as below:
Organizational Unit: /
Deactivation Options: Leave it unchecked
Manage Licenses on Create and Update: True
Licenses: Choose licenses you want to assign to the users
Manage Roles on Create and Update: True

Configure settings for the Group to be pushed to Cloud Identity
Configure settings for the Group to be pushed to Cloud Identity

3. Click the Push Groups tab.

4. Click Push Groups and select one of these options:

  • Find groups by name: Select this option to locate groups by name. Clear the Push group memberships immediately check box if you don’t want the selected membership pushed to the target app immediately.
  • Find groups by rule: Select this option to create a search rule that pushes matching groups to the app. When you have created your rule, clear the Push group memberships immediately check box if you don’t want the membership pushed to the target app immediately. Click Create Rule and the rule name is shown when you select By rule in the PUSHED GROUPS list.
Configure Push Groups

5. Optional. Click Bulk Edit to delete, deactivate, or activate groups.

6. Optional. To deactivate group push, unlink pushed groups, or push group memberships immediately, click Active / Inactive for a group and select one of these options:

  • Deactivate group push: Select this option to pause group synchronization. The group is retained in the app. You can continue to keep adding new members to the group, but the members won’t appear in the target app.
  • Unlink pushed group: Select this option to permanently remove the group from Okta and the app. Select one of these options in the Unlink Pushed Group dialog:
  • Delete the group in the target app: Select this option to delete the group and all its associated memberships. Click Unlink.
  • Leave the group in the target app: Select this option to stop pushing memberships and keep the group in the target app. Click Unlink.

7. Push Now: Select this option to push memberships immediately and synchronize Okta and the target app. All memberships are overwritten and Okta becomes the group source. When this option is selected for Active Directory, only the newest members are pushed to the group and memberships are not overwritten.

Push group to Cloud Identity

8. Optional. Click information icon to display group creation information and the push type.

9. If you add new users to the above groups, Okta will immediately trigger to push the new users to Cloud Identity

10. Any Group/User deactivation will immediately trigger signal to Cloud Identity to deactivate the users there as well.

11. You can track the actions under the View logs field

View Logs

Verify Users/Groups provisioned in Cloud Identity

  1. After you click on Push Now, Okta will immediatly trigger group push to Cloud Identity
  2. Navigate to Cloud Identity -> Directory -> Groups. You should be able to see the group and the users from Okta

Test SSO by logging into Cloud Identity/GCP via the above users

  1. Ask the Okta users pushed to Cloud Identity to login to console.google.com
  2. They will be redirected to Okta to enter their credentials
  3. After entering their credentials in Okta screen, they will see the Google Cloud Console Portal logged in

Test deactivation

  1. Any Group/User deactivation on Okta will immediately trigger signal to Cloud Identity to deactivate the users there as well.

2. You can track the actions under the View logs field

View Logs

References

Google Provisioning | Okta

Learn how to configure provisioning for Google Workspace in your Okta org. This is the recommended setup: Configure…

help.okta.com

Saml
Okta
Google Cloud Identity
Google Cloud Platform
Gcp Security Operations

--

--

Nimisha Jain
Google Cloud - Community

Written by Nimisha Jain

10 Followers
Writer for

Strategic Cloud Engineer, Infrastructure @Google

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams