# Google Workspace Identity Provider & Access Review Integration

The Google Workspace integration in Sprinto enables you to connect your organisation’s directory and audit systems to automate identity management and access governance.

This integration serves two core purposes:

* **Identity Provider (IdP):** Sync users, groups, and organisational structure from Google Workspace into Sprinto.
* **Access Review:** Monitor user access, audit activity, and security events for compliance frameworks such as SOC 2 and ISO 27001.

By combining identity and audit data, Sprinto provides continuous visibility into user access, detects compliance gaps, and ensures timely remediation.

***

### How It Works

The integration operates across two layers: identity management and access monitoring.

#### Identity Provider (SSO and User Sync)

Sprinto connects to Google Workspace using the Cloud Identity and Admin SDK APIs to:

* Fetch and sync users, groups, and organisational units.
* Map users to Sprinto’s People module.
* Enable SSO configurations using SAML 2.0 or OIDC.
* Track user lifecycle changes such as onboarding and offboarding.

Supported SSO protocols include:

* **SAML 2.0:** Uses Entity ID, SSO URL, and X.509 certificates for authentication.
* **OIDC (OpenID Connect):** Uses client credentials and OAuth-based authentication flows.

#### Access Review (Audit and Security Monitoring)

Sprinto uses Google Workspace audit and reporting APIs to:

* Track login activity, admin actions, and OAuth usage.
* Monitor access across applications such as Drive, Gmail, and Calendar.
* Identify inactive users or policy violations.
* Support access reviews and compliance checks.

Audit data is sourced from:

* Login and admin activity logs.
* OAuth token usage.
* Device and access evaluation logs.
* Security alerts and investigation data.

#### Sprinto checks for Google Workspace <a href="#sprinto-checks-for-google-workspace" id="sprinto-checks-for-google-workspace"></a>

Here's a list of Sprinto checks available for Google Workspace integration, along with reference procedures on how to fix them:

<table><thead><tr><th width="240.515625">Sprinto check</th><th width="316.70703125">Description</th><th>Reference procedure</th></tr></thead><tbody><tr><td><strong>Staff role should be assigned</strong></td><td>All in-scope staff members must have an assigned staff role.</td><td><a href="../../data-library/people/dashboard-actions/manage-staff-and-organisational-configuration">How to fix</a></td></tr><tr><td><strong>Reporting manager should be assigned</strong></td><td>All in-scope staff members should have an assigned reporting manager.<br><br>Note: Top management roles like CEO, CTO, etc. are exceptions.</td><td><a href="../../data-library/people/dashboard-actions/manage-staff-and-organisational-configuration">How to fix</a></td></tr><tr><td><strong>Date of joining for new staff should be provided</strong></td><td>Define the joining date for all newly onboarded staff members.</td><td><a href="../../data-library/people/dashboard-actions/manage-staff-and-organisational-configuration">How to fix</a></td></tr><tr><td><strong>Google Workspace user should have MFA enabled</strong></td><td>All in-scope staff members should enable Multi-Factor Authentication configured on their Google Workspace user account.</td><td><a href="../../data-library/people/dashboard-actions/manage-staff-and-organisational-configuration">How to fix</a></td></tr></tbody></table>

### Permissions and Data Access

Sprinto requires specific permissions to enable identity sync and access monitoring.

#### Identity Provider Permissions

These permissions enable user and SSO management:

* Read user directory information.
* Read group and organisational unit data.
* Configure inbound SSO settings (SAML/OIDC).

#### Access Review Permissions

These permissions enable audit and monitoring:

* Read audit logs (login, admin, token activity).
* Access security alerts.
* Retrieve device and access-related information.
* View user and group activity.

#### Data Collected by Sprinto

Sprinto collects the following data:

* User details: name, email, status.
* Group memberships.
* Organisational unit mapping.
* Login and activity logs.
* OAuth and token usage.
* Security alerts and audit events.

***

### Prerequisites

Ensure the following requirements are met before setting up the integration:

#### Access Requirements

* You must have **Super Admin access** to your Google Workspace account.
* Alternatively, use a custom admin role with:
  * User management permissions.
  * Group management permissions.
  * SSO configuration access.
  * Security and reporting access.

#### Google Workspace Requirements

* Google Workspace must be active and properly configured.
* Required APIs must be enabled:
  * Admin SDK
  * Reports API
  * Cloud Identity API
  * Alert Center API (for security alerts)

#### Plan Requirements

* Access to advanced audit logs and investigation tools may require:
  * Enterprise Standard or Enterprise Plus
  * Cloud Identity Premium
  * Equivalent supported editions

***

### Setup Instructions

Follow these steps to connect Google Workspace with Sprinto:

1. Log in to the Sprinto dashboard.
2. Navigate to **Settings → Integrations**.
3. In the **All** tab, search for **Google Workspace**.
4. Click **Connect** next to Google Workspace.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FgjaYBm5JuE2N4dX9PuIU%2FScreenshot%202026-04-14%20at%2015.12.46.png?alt=media&#x26;token=f33c2946-ea86-473d-af6e-df441dc7cfb1" alt="" width="563"><figcaption></figcaption></figure>

5. In the integration drawer, click **Connect** for **Identity Provider & Access Review.**

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2Fe7Obc7DMgJyu5HgIfSiD%2FScreenshot%202026-04-14%20at%2015.13.39.png?alt=media&#x26;token=b0405f15-c888-4311-aa22-6abcddeb7cf7" alt="" width="375"><figcaption></figcaption></figure>

6. Review the following:
   * Controls and checks enabled
   * Permissions required
   * Data accessed by Sprinto.
7. Click **Next**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FHfsmfhUsiVeXfQC3y9CP%2FScreenshot%202026-04-14%20at%2015.15.12.png?alt=media&#x26;token=7c7f0291-b643-4f5d-9aa5-a396444e54a4" alt="" width="375"><figcaption></figcaption></figure>

8. In the setup screen:
   1. Review connection type (OAuth).
   2. Confirm prerequisites.
9. Click **Connect Google Workspace**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FJRVvNanPlZJqnRirrEBC%2FScreenshot%202026-04-14%20at%2015.16.41.png?alt=media&#x26;token=d2c697bb-5477-4afd-9ca2-19091ddb3cfa" alt="" width="375"><figcaption></figcaption></figure>

10. In the Google OAuth window:
    1. Select your admin account.
    2. Sign in if required.
    3. Review requested permissions.
    4. Click **Allow**.

<figure><img src="https://3220032727-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEsyn5VMU6e0OyGjRtKgx%2Fuploads%2FJcVVPvrz9umOPfq44x6T%2FScreenshot%202026-04-14%20at%2014.47.59.png?alt=media&#x26;token=265a27a5-d80f-4d7f-b7ba-95e71017e7be" alt="" width="563"><figcaption></figcaption></figure>

Once authorised, the integration is successfully established.

***

### Post-Connection Flow

After successful integration:

* **Initial Sync:**\
  Sprinto performs an initial sync of users and groups within 15–20 minutes.
* **Continuous Monitoring:**\
  Audit logs and access data are continuously ingested.
* **User Mapping:**\
  Users are mapped to the People module for compliance checks.
* **Access Reviews:**\
  Access review workflows are enabled using synced user and audit data.
* **Compliance Checks:**\
  Sprinto automatically evaluates controls related to:
  * User access management.
  * Inactive users.
  * Access removal on offboarding.

***

### Troubleshooting

#### 1. OAuth Authentication Fails

* Ensure you are using a **Super Admin account**.
* Verify that third-party app access is not restricted in Google Workspace.

#### 2. Insufficient Permissions

* Confirm required admin roles are assigned:
  * User management
  * Security and reporting
  * SSO configuration

#### 3. Missing Audit Data

* Ensure your Google Workspace plan supports audit logs.
* Some logs (Drive, Gmail, device activity) require higher-tier plans.

#### 4. Integration Errors (400 or API Issues)

* Check if required APIs are enabled in Google Cloud Console.
* Verify API access is not restricted by organisation policies.

#### 5. Sync Delays

* Initial sync may take up to 20 minutes.
* Large directories may take longer to fully process.

***

### Support

Please contact [Sprinto Support](mailto:www.support@sprinto.com) If you have any queries related to the integration or need any assistance.