Gemini Enterprise Connectors: SAP, Salesforce and ServiceNow in Practice
Native connectors look like magic in demos. In production, they have authentication, ACL and latency gotchas. Technical guide on what works out of the box, what needs tweaking, and what requires Apigee.
Fabiano Brito
CEO & Founder
The main selling point of Gemini Enterprise against Copilot and ChatGPT Enterprise is the catalog of native enterprise connectors. In Autenticare projects, we validated that this is real — but with nuances that nobody mentions before signing the contract.
What native connectors do
- Indexing: content is embedded into the Vertex AI Search index with incremental synchronization.
- ACL preserved: users only see results they have permission to see in the source system.
- Automatic refresh: changes propagate in minutes.
- Managed auth: OAuth or service account, with automatic renewal.
Result: the agent is asked "what's the status of the ACME opportunity in Salesforce?" and receives a response citing the real record, respecting the user's visibility.
Salesforce
What works out of the box
- Account, Contact, Opportunity, Lead, Case, Knowledge Articles.
- Custom objects (with configuration).
- OAuth with automatic refresh.
- Filter by owner, record type, type.
Gotchas
- Complex sharing rules: territory management and manual sharing may not be reflected. Validate before go-live.
- Apex sharing: the connector reads the materialized state, does not execute Apex.
- Attachments: PDFs in Files are indexed; in legacy Notes & Attachments, they are not.
Real case
B2B services company, pre-sales team. Gemini Enterprise agent pulls the last 5 Account interactions from Salesforce + recent emails in Gmail and generates a briefing before each call. Prep time: 25 min → 3 min.
SAP
What works out of the box
- SAP S/4HANA Cloud via OData.
- SuccessFactors (HR).
- Ariba (procurement) with configuration.
Gotchas
- SAP ECC on-premise: requires Apigee or middleware (no direct connector).
- Classic RFC: same — exposure via REST API first.
- Performance: poorly written OData queries can kill SAP. Cache is mandatory in the agent.
- Authorization: SAP authorization objects rarely map 1:1 to Workspace groups. ACL modeling is a separate project.
Real case
Manufacturing, finance team. Agent queries payment status and purchase order in S/4HANA Cloud. Typical latency: 1.2-3s per query. Acceptable for conversational use, not for batch.
ServiceNow
What works out of the box
- Incident, Request, Knowledge Base, CMDB.
- Custom tables (with configuration).
- OAuth + granular scopes.
Gotchas
- ACL via roles: requires explicit mapping.
- Native workflow: the connector reads state, does not execute workflow. To create/update an incident, configure as a dedicated tool.
- Knowledge Base with versioning: the agent may surface old versions if not filtering by
active=true.
Real case
Services, support center. Agent suggests relevant KBs and creates an incident when automatic classification indicates one. Average ticket time: -28%.
Other native connectors
| System | Status | Notes |
|---|---|---|
| Drive, Docs, Sheets, Slides | Ready | Granularity by file/folder |
| Gmail, Calendar | Ready | User account only |
| SharePoint Online | Ready | Sites + ACL preserved |
| OneDrive | Ready | Granularity by file |
| Confluence Cloud | Ready | Server requires adaptation |
| Jira Cloud | Ready | Issues, projects, comments |
| Slack | Ready | Public channels + authorized private channels |
| Box, Dropbox Business | Ready | Granularity by folder |
| Workday | Ready | HR + finance |
| Oracle EBS | Custom | Apigee + adjustment |
| Relational databases (PostgreSQL, MySQL) | Tool | Via SQL function calling |
When to use Apigee
Apigee is Google Cloud's API gateway. You need it when:
- The source system has an API but with non-standard auth (basic, mutual TLS, signed JWT).
- You need to transform the payload (legacy XML → JSON).
- You need to apply rate limiting per agent to protect the backend.
- There are intermediate audit requirements (e.g.: BACEN requires a registered proxy).
In projects with more than 3 legacy systems, Apigee saves months of rework.
The governance pattern we use
- Each connector becomes a documented data source: technical owner, business owner, ACL, retention policy.
- Sandbox before production: never connect to the production ERP/CRM during the pilot. Use a full sandbox.
- Logs per connector: what was queried, by whom, with what filter. Mandatory for audit.
- Query limits: hard daily cap per agent, prevents accidents.
- Refresh window: index outside business hours whenever possible.
The biggest mistake in a connector project is copying the commercial slide without doing the sandbox. The "ready" SAP S/4 connector turns into 3 weeks of Apigee if the company still has ECC on-premise.
Which of your systems integrate out-of-the-box?
Autenticare inventory in 1 day: system list, ready/adjust/Apigee matrix, effort estimate per connector, sandbox plan before pilot.