Monitor automated user provisioning

If you've configured automated user provisioning for a SAML cloud application, you can see the number of users created, suspended, and deleted within the last 30 days, as well as any provisioning failures, on the app's profile page.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenSAML apps.
  3. Click a cloud application that shows Provisioning On after the app name.
  4. Under Auto-provisioning, the number of users created, suspended, and deleted in the last 30 days is shown, as well as the number of provisioning failures.
    • Click view sync log to open the Admin audit log and get specific details on auto-provisioning events.
    • Click Download list to download a .csv file listing user level failures and the reason for each failure.
Auto-provisioning status

The top of the Auto-provisioning section shows auto-provisioning status:

  • Active — Auto-provisioning is on and running.  User accounts will be created in the target application for all the applicable users based on the Organizational Units for which the application is selected and any additional groups to which provisioning is restricted.  After that, whenever any changes are made to a user in Google Cloud Directory, relevant changes are made to the user account in your target application.
  • Inactive — Auto-provisioning is inactive.  No changes are made to users accounts in your target application in this state.  Note: Deactivating auto-provisioning may take up to 15 minutes to take effect.
Activate or deactivate auto-provisioning

Before activating auto-provisioning, make sure to configure mandatory user attributes, attribute mappings, and any needed provisioning scopes. Also consider any licensing implications for your application. 

  1. Do one of the following:
    • Under Auto-provisioning, click the activation slider.
    • Click in the Auto-provisioning section to open the settings page, then click Status > Turn on or Turn off.
  2. In the confirmation box, click Turn on or Turn off.

Note: Deactivating auto-provisioning doesn't remove users already created on your target application.

Reauthorize auto-provisioning

Before it can start working, automated user provisioning needs the target application to authorize Google to create and update user accounts in the app. As the administrator of the target app, you give this authorization during initial auto-provisioning setup.

However, after initial setup, authorization can sometimes be revoked. This may happen due to inactivity, a password change on the app's admin account, or for other reasons. If so, you'll need to reauthorize to get auto-provisioning started again.

For instructions, see the Reauthorization section in your app's auto-provisioning article

Enable or disable the target applications

Here's the effect on automated user provisioning when a target application is enabled:
Single sign-on (SSO) gets turned on for the target application. If the provisioning status is ON, provisioning continues and accounts are created in the target application for applicable users based on the Organizational Units (OUs) for which the application is turned on and any additional groups to which provisioning is restricted. If the provisioning status is OFF, there's no change in the status of accounts on the target application. 

Here's the effect on automated user provisioning when a target application is disabled:
SSO is turned off for the target application. If the provisioning status is ON, provisioning continues and all Cloud Directory users previously created in the target application will be removed. If the provisioning status is OFF, there's no change in the status of accounts on the target application. 

Was this helpful?
How can we improve it?