As you mentioned going for a custom rule would give you ultimate flexibility and control on how to achieve the mapping, however, the first thing to have any sort of mapping is to have the source data available.
I believe the organization unit will not be returned by default from Google, but you can confirm this by performing a login with an applicable user and then on the dashboard inspect it’s Raw JSON and look for the data in question.
If the data is not available which is likely according to a quick google search, you may need to check the Google docs on how you can obtain this information. Again from a quick search there’s this somewhat old (so things may have changed) SO answer that points to the need to use a service account:
There is no API call for a user to determine their own group membership or org unit. (…) You might consider creating a delegated admin account that has only rights to read groups and org units via the API (…)
If the above still proves to be true then you may want to start with Perform G Suite Domain-Wide Delegation of Authority which gives instructions on how to configure a service account to access this information. You could then either do the call do the Directory API directly from rules or though your own broker API. Having obtained the source data, you could apply your own mappings and call the authorization extension API to configure the user accordingly.