Google Workspace SAML Log Events

Cloud & SaaSAuthentication & AccessGoogle WorkspaceCloud Control PlaneSIEM / Log Aggregator

Location

Google Admin Console > Reporting > Audit and investigation > SAML log events

Description

Federation-related audit events for SAML sign-in activity, identity-provider interactions, and SSO-related account access within Google Workspace.

Forensic Value

SAML logs help determine whether federated authentication was abused, whether an attacker used an external identity provider to reach Google Workspace, and which federation path was involved during suspicious sign-ins.

Tools Required

Google Admin ConsoleReports APISIEM

Collection Commands

Google Admin Console

Reporting > Audit and investigation > SAML log events > Filter by user, IdP, event name, and status > Export matching events

Reports API

GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/saml?startTime=2026-03-01T00:00:00.000Z

Collection Constraints

•SAML coverage depends on federated sign-in being in use and the relevant audit stream being available for the tenant.
•Correlating Google Workspace SAML events with the external IdP logs is required for full attribution.

MITRE ATT&CK Techniques

T1078.004T1556

References

Audit and investigation tool data sources Reports retention and availability

Acquisition Methods

Google Workspace Audit and Reports Export

linux — cloud