Integrations

G Suite Integration Guide

Introduction

G Suite is a suite of intelligent apps, including Gmail, Docs, Drive, and Calendar, designed to help your team communicate, store, and create.

With Sapling, you can:

  • Assign a company email address to a new hire when onboarding
  • Automatically set up an employee's G Suite account with the information from the new hire’s employee record 
  • Immediately suspend an employee's G Suite account during the termination process
  • Accounts can be reactivated by IT admins, however the email cannot be accessed whilst suspended. 

All of the activities taken by Sapling are tracked and recorded in the Admin console audit log.

Before integrating with G Suite, make sure you have:

  • Admin or Account Owner permission status in Sapling 
  • Obtained administrator access on your G Suite domain to set up the integration. 
  • If your administrator access is revoked in the future, your integration will stop functioning.

This Integration Guide is split into two sections:

The User Experience

  1. How does Sapling set-up the account during Onboarding?
  2. How does Sapling suspend the account during Offboarding?

Setting up the G Suite integration

  1. Ensure API Access is enabled in your Google Admin
  2. Enable the G-Suite integration in Sapling

Part 1: The User Experience

1a: How does Sapling set-up the account during Onboarding?

When onboarding an employee in Sapling, confirm the company email address - this will be based on the G-Suite account you have integrated and will become a required field.

When entering the new-hire’s company email in step 1 of the onboarding flow (“Create Profile”), Sapling will synchronously check your company’s G-Suite account to ensure the email address is available.

Leaving the company email blank means Sapling does not set-up the company email or G-suite account.



At the end of the new hire onboarding flow (step #5 - “Send Invite”), Sapling will provision the G-Suite Account when the New Hire onboarding event is confirmed.

Sapling sends the following information to the G-Suite profile:

  1. First Name
  2. Last Name
  3. Company Email (primary email)
  4. Personal Email (secondary email)
  5. Department
  6. Location
  7. Manager

The New Hire will then receive a notification to their secondary email (personal email) at the time specified by the Onboarding Admin informing them of access their G-Suite account (this is based on the time setting in your Company’s General Settings). 

Three important things to note:

  • If this time has already passed (i.e. they started today), this email will be sent immediately.
  • You can send the 'Getting started instructions' ahead of time, which can be collected from G-Suite account once provisioned
  • Once the G-Suite account has been scheduled after completing onboarding, admins will not be able to edit the time specified nor can they delete the G-Suite account before it’s provisioned by Sapling

The person who Onboarded the new hire (typically the Program Lead) will be Bcc’d on this email to ensure visibility on the workflow.



When the new hire logs into their Company G-Suite Account, they will be prompted to create a new password. 


The new hire will then have access to their company email inbox.

How to set password requirements?

  1. In your Google Admin console (at admin.google.com)...
  2. Go to Security > Password management.
  3. On the left, select the organizational unit where you want to set the password policies.
    For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization. 
  4. In the Strength section, check the Enforce strong password box.
    Strong passwords use a mix of letters, numbers, and symbols, and should not be common or previously used. 
  5. In the Length section, enter a minimum and maximum length for your users' passwords. It can be between 8 and 100 characters.
  6. (Optional) To force users to change their password, check the Enforce password policy at next sign-in box.
    If you don’t check this option, users with weak passwords can access your organization’s Google services until they decide to change their password.
  7. (Optional) To allow users to reuse an old password, check the Allow password reuse box.
    You cannot set the password history that Google reviews to prevent reuse.
  8. In the Expiration section, select the period of time after which passwords expire.
  9. Click Override to keep the setting the same, even if the parent setting changes.
  10. If the organizational unit's status is already Overridden, choose an option:
  • Inherit—Reverts to the same setting as its parent.
  • Save—Saves your new setting (even if the parent setting changes).

Make sure to also give your users tips for creating a strong password.

1b: How does Sapling suspend the account during Offboarding?

During the offboarding flow, Sapling can disable an employee's G Suite account.

Part 2: Setting up the G Suite integration

There are two steps in the set-up process and takes approximately 5 minutes:

2a: Ensure API Access is enabled in your Google Admin

The first step is to ensure that API access is enabled within G Suite directly. 

You will need to have administrator permissions on the Google Account you want to link in order to set up the integration. Additionally, you will need to ensure you have enough Google licenses, otherwise user creation will fail. 

As a Google Administrator, login to Google’s Admin console (https://admin.google.com) and ensure API access is enabled in your G-Suite Account.

To verify that it is enabled, login to your admin account and select Security. If Security is not listed, select More Controls > Security from the options shown in the gray box. 



On the security page, select API reference, and then select the checkbox to Enable API access and click Save.



2b: Enable the G-Suite integration in Sapling

When logged in as a Sapling Account Owner, navigate to Admin > Integrations and you’ll see the integration widget.

Click Add and you will be presented with a pop-up requiring the Organization URL of your company’s G-Suite domain (without the www.). By clicking Save, you’ll then be prompted to authorize your account.



Click Authorize.Google will then ask you to confirm that Sapling can provision and delete users on your domain.



Once G Suite and Sapling are synced, the G Suite app will be shown as Authorized in your account.

You can disable the G Suite <> Sapling sync at any time by clicking it and selecting “Unauthorize”.

Enforcing Multi Factor Authentication

2-Step Verification adds an extra layer of security to your users' G Suite accounts by requiring them to enter a verification code in addition to their username and password when signing in to their account.

It can be enabled for your domain in your Security Settings.



To ensure 2FA on new accounts generated by Sapling, you’ll need to ensure 2FA is turned on in your advanced security settings.




Managing Licences

If you need more licenses for a Google service, how you add them depends on how you signed up for your service and your plan type (G Suite only).

This article contains information on how to get more licenses.

Security & Auditing

All of the activities taken by Sapling are tracked and recorded in the Admin console audit log.

To view a log of events in your Google Admin Account, navigate to reports.


Here you can select ‘Admin’ to see a list of activities occurring in your company’s Google Admin account, as well as the associated user and IP Address.

 



Frequently Ask Questions

Start Date Changes

What happens if the new hires start data changes?

As Sapling provisions the account and schedules the email notification as time of onboarding, any subsequent changes are not updated between Sapling and G-Suite - hence changes in start dates must be managed manually in the current integration.

Access levels

Our Gmail accounts are provisioned with different access levels. Once they are created, can the accounts be updated like they would if we provisioned them on our own? 

This is typically managed by the IT Admins directly in G-Suite. We only send location, department, manager, etc.

Terminations

When terminating an employee, if we wanted account access to be shut off at different times, is that possible? I.e. sometimes 5pm on the day of termination is too late or too early. 

This is something Sapling is currently investigating for our Partners. 

Personal and Company Emails

Sapling can send both the personal and company email to our Google Admin Account which then appear in the Global Address book. How to disable sending personal email?



Can we can it sent, but hide the personal email from being viewed?

Yes - please see the 'Turn on the Directory and set sharing options' in this link

https://support.google.com/a/answer/60218#enable ​

There are a few options to manage this, but we believe the best is: 'Only show email addresses on the user's primary domain'  

Still no luck? We are here to help!

People Operations can be complex - contact our customer success team to get in touch with you.

Contact Us