This article is an add-on to our provisioning configuration guide, supplementing the process described there with specific details and additional information unique to provisioning users for the G Suite SAML 2.0 app connector in OneLogin's app catalog.
Prerequisites
This process requires administrator access to a paid G Suite account with third-party API access enabled.
If using a G Suite trial account, API-created users will be added to G Suite in a Suspended state and remain in that state until your instance is upgraded to a paid account. In order to move from Suspended to Active on a newly upgraded G Suite account, the user must log in and complete Google's verification steps to prevent malicious activity on trial accounts.
-
Go to Configuration and Authenticate with your G Suite admin account, granting Google access when prompted for permission. If authentication is successful, the Configuration page now displays a Clear Token button.
Clear your OAuth token as necessary to reauthenticate with the G Suite Directory API. If you're clearing the token because of security concerns, you should also delete the old token from G Suite.
-
Enable basic provisioning, as well as entitlement provisioning if desired, and complete your SAML configuration for G Suite.
-
Configure your G Suite attributes as desired, taking special note of these parameters:
|
Email
|
By default, G Suite uses just the name part of your users' email addresses, e.g. user@domain.com, under the assumption that G Suite is also being used as your users' email provider. If your users' emails have a domain other than the one associated with this G Suite account, change this parameter's Value to Email to include the full address.
|
|
Aliases
|
At this time, OneLogin may only provision one alias to a G Suite user account. Any alias provisioned by OneLogin will overwrite all aliases currently associated with the user account in G Suite. Enable with caution.
|
|
Groups
|
Provisioning with Google Groups requires that entitlement provisioning be enabled.
Once configured, group provisioning uses safe entitlements to ensure that a user's existing Google Group memberships are not overwritten by new Group memberships provisioned by OneLogin.
Tip! If you're syncing OneLogin with both Active Directory (AD) and G Suite, you can use rules with regular expressions to create and assign your users' AD/LDAP security groups as Google Groups. Your Google Groups can now be searched and filtered by email address as well as group name when mapping rules for G Suite!
|
|
Organization
|
Provisioning with Google Organizations requires that entitlement provisioning be enabled.
|
|
Department
|
G Suite links these four parameters together as a single unit. Changing any one value will cause Google to reset the parameters for all four attributes. If you intend to modify one of these values, plan to update all.
|
|
Employee Type
|
|
Organization Name
|
|
Organization Title
|
-
Complete any remaining app configuration, always remembering to refresh entitlements and reapply mappings as necessary. Your G Suite provisioning is now complete!
|