Using Groups with Login Policies When Google Workspace Doesn't Send Team Information

Last updated: September 16, 2025

When using Google Workspace as your SSO provider, you may notice that the session.teams field in login policies is always null. This is a known limitation of Google Workspace integration.

Why Google Workspace Teams Are Not Available

Google Workspace does not send team/group information to Spacelift during the SSO authentication process. This affects both login policy management and IDP group management strategies, as both depend on the SSO provider sending group membership data.

For more details about SSO limitations, see the Additional Claims documentation.

Workaround: Define Groups Directly in Login Policies

Since Google Workspace doesn't provide dynamic group information, you can manually define groups within your login policies. Here's how:

  1. Define your teams as sets of users in your login policy:

    Team1 := {"user1@company.com", "user2@company.com", "user3@company.com"}

Team2 := {"user4@company.com", "user5@company.com", "user6@company.com"}

Team3 := {"user7@company.com", "user8@company.com", "user9@company.com"}

  2. Use these groups in your policy rules:

    space_admin contains space.id if {
    some space in input.spaces
    some login in input.session.login
    Team2[login] 
}

When users log in, Spacelift will receive their username from Google Workspace, and your policy can check if that username belongs to any of the predefined groups.

Limitations of This Approach

  • Manual maintenance: You'll need to manually update the group definitions in your login policies when team membership changes

  • No external data access: Login policies cannot read from external variables or APIs during evaluation

  • Static groups: Unlike dynamic SSO groups, these groups are defined at policy creation time

Alternative Solutions

While not commonly implemented, you could potentially use an Identity Proxy or Bridge Layer to transform the SSO response and include group information before it reaches Spacelift. However, this approach requires significant custom development and is not officially supported.

For reference on login policy examples, see the Spacelift policies example library.