Skip to main content

Sapling - G-Suite Integration Guide

Alice McAnaw
Updated

Introduction

The Kallidus Sapling platform helps HR and People Operations teams automate and streamline administrative tasks so they can focus on employee experience, retention, and creating an amazing culture for the most successful teams.

G-Suite is a suite of intelligent apps by Google designed to help your team communicate and collaborate effectively across your organization.

With the G Suite integration, Sapling will:

  • Simplify User Sign-On (optional): Users can log directly into Sapling using G-Suite SSO

  • Create Users (optional): When a new hire is onboarded in Sapling, they will automatically be created in G-Suite

  • Deactivate Users: When a user is offboarded in Sapling, the corresponding user in G-Suite will automatically be deactivated

  • Link Users: Existing Sapling users will be linked to corresponding users in G-Suite

Sapling's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy including the limited use requirements.

blobid0.jpg

How it Works

Simplify User Sign-On (optional)

  • Users can log directly into Sapling using G-Suite SSO
  • Users will be able to log in via G-Suite SSO as long as their user emails in G-Suite and Sapling match

Create Users (optional)

  • When onboarding a new hire in Sapling, you'll have the option to automatically provision a G-Suite account for them and share their credentials on a specified date/time
    • When the user provisioning slider is enabled, we will validate the Company Email to ensure it matches the G-Suite account URL specified under the integration settings - check out the Setting Up the Integration section for guidance
  • Additionally, you'll have the option to assign them to an Organization Unit and/or Groups within G-Suite to further drive automated access provisioning

  • When you're done onboarding the new hire, they will immediately be created in G-Suite with their personal information and job details

  • Once created in G-Suite, your IT team can proceed with their usual access provisioning processes and send user credentials to the new hire accordingly (if not already scheduled)

  • Check out this article for more information on onboarding new hires in Sapling

  • Check out the Supported Fields section for what fields are synced from Sapling to G-Suite for user creation

Deactivate Users

  • When a user is offboarded in Sapling, the corresponding user in G-Suite will automatically be deactivated once the Sapling Access Cutoff date (specified during offboarding) is reached

  • Check out this article for more information on offboarding users in Sapling

Link Users

  • As long as the integration is enabled, a daily (overnight) sync will link existing Sapling users to corresponding G-Suite users based on Company Email

  • Check out the Before Enabling the Integration section to get the most of the initial user linking when the integration is first enabled

Before Enabling the Integration

Admin Permissions Required

To enable the G-Suite integration, you'll need a Super Admin role in Sapling and at least a User Management Admin role in G-Suite.

User Creation Limitations

Sapling can only auto-create G-Suite accounts for new hires that are onboarded after the integration is enabled. 

As such, before enabling the integration you to need manually create G-Suite accounts for all your existing Sapling users (if they don't already have one). For a speedier solution, please reach out to Google Support and ask if you're able to do so via bulk upload. 

Once the integration is enabled, existing Sapling users will be linked to corresponding G-Suite users via an overnight sync based on Company Email. Once linked, offboarding users in Sapling will automatically deactivate corresponding users in G-Suite going forward.

Setting Up the Integration

Part 1: Add the Sapling app and provide data access in G-Suite

  1. From your Google admin console (admin.google.com), navigate to Security > Access and data control > API controls > Manage third-party app access
  2. Add a new OAuth app
  3. Search for and select "Sapling G-Suite App"
  4. Select the app's client ID
  5. Grant the app full scope to all users and full access to all data

Part 2: Enable the G-Suite provisioning integration in Sapling 

  1. Under Administration Tools, navigate to Integrations
  2. Scroll down to find the G-Suite provisioning integration (under the Productivity section) and enable the integration slider
  3. Enter your G-Suite account URL
  4. If you'd like the option to provision users on alternate/secondary account URLs, enter them below and click "Add"
  5. If you'd like to sync personal emails to G-Suite, enable the slider below and click "Next"
  6. Click "Connect" to sign into your G-Suite admin account and grant the necessary consent - you'll need at least a User Management Administrator role for the consent to be valid
  7. Once redirected back to the Integrations page in Sapling, relaunch the G-Suite integration widget by clicking "Settings"
  8. Click "Next" and "Activate" to complete the integration

Part 3: Enable the G-Suite SSO integration in Sapling (optional)

  1. Reach out to Sapling Support (or your Implementation Consultant/CSM) and let them know you'd like to enable G-Suite SSO
  2. They will complete the necessary backend configurations and notify you to complete the remaining steps below
  3. Under Administration Tools, navigate to Integrations
  4. Scroll down to find the G-Suite SSO integration (under the Authentication section) and enable the integration slider
  5. Under Administration Tools, navigate to Platform Settings
  6. Under the SSO tab, allow for users to sign in using "Password and SSO" or "SSO only" and click "Save"

Supported Fields

Kallidus is continually expanding the number of fields that sync between Sapling and G-Suite.

Please note that is not possible to exclude or custom map any of the supported fields above, or map any additional fields at this time. 

Key Factors to be aware of

New Hire Email Notification

The new hire will receive their G-Suite credentials via their personal email at the date/time specified during onboarding (if scheduled). The People admin who onboarded the user will be BCC'd on the email for visibility. 

If the new hire's start date is in the past their credentials will be sent immediately.

Once the G-Suite account has been provisioned, your People team will not be able to change the date/time specified for delivering the credentials. 

When the new hire logs into their G-Suite account for the first time, they will be prompted to create a new password. They will then have access to their company email inbox, along with any other services your IT team may have provisioned ahead of time. 

Security & Auditing

All of Sapling's activities are tracked under the audit log. To view a log of events in your Google admin console, navigate to reports. There you can select ‘Admin’ to see a list of activities occurring in your Google admin instance, including the associated user and IP address.

Frequently Asked Questions

Start Date Changes

  • What happens if the new hires' start date changes?
    Since Sapling provisions the account and schedules the email notification at the time of onboarding, any subsequent changes are not updated between Sapling and G-Suite. As such, all start date changes must be manually updated in G-Suite.

    If the new start date is earlier than the previous start date, G-suite Admin would need to manually reset the password for the new hire and share it with them. The new hire can then ignore the automated password email notification being sent by Sapling based on the originally scheduled date/time. 

    If the new start date is later than the previous start date, to delay a new hire's access to their G-suite account, you can consider temporarily disabling/suspending the account and restoring it when the new start date is reached. 

Access levels

  • Our G-Suite accounts are provisioned with different access levels. Once they are created by Sapling, can the accounts be updated like they would if we provisioned them on our own?
    Yes, your IT team can still fully manage the user's access levels as if they provisioned the account themselves

Terminations

  • When terminating an employee, if we wanted account access to be shut off at different times, is that possible? I.e. sometimes 5 pm on the day of termination is too late or too early.
    Yes, it is possible to suspend a G-Suite account at a time more convenient to you. To do so, simply specify the desired Access Cutoff time during the offboarding workflow.

Personal and Company Emails

  • Can we sync only company emails to G-Suite, and exclude personal emails? 
    • Yes, you can control the syncing of personal emails to G-Suite via the slider below:
  • Can we send it, but hide the personal email from being viewed?
    • Yes, you can hide personal emails in your Global Directory. For reference, please see the 'Turn on the Directory and set sharing options' on this Google help article. There are a few options to manage this, but we believe the best is: 'Only show email addresses on the user's primary domain'. 
  • Can we update a user's G-Suite email after it has been provisioned by Sapling?
    • Yes, you can update a user's G-Suite email post-provision via Google Workspace. For reference, please review this Google help article.

Looking to do more?

Want to build your own custom integration? Check out the publicly available resources below:

Related articles