6 Oracle Waveset Connector for Google Apps

This chapter includes the following information about the Google Apps connector for Oracle Waveset:

About the Google Apps Connector
Deploying the Google Apps Connector
Using the Google Apps Connector
Troubleshooting the Google Apps Connector

6.1 About the Google Apps Connector

Overview of the Google Apps Connector
Security Considerations for the Google Apps Connector
Certified Components for the Google Apps Connector
Supported Languages for the Google Apps Connector

6.1.1 Overview of the Google Apps Connector

The Google Apps connector supports provisioning of accounts and groups to Google Apps. For information about Google Apps, see http://www.google.com/apps/.

The Google Apps connector is implemented using the Identity Connector Framework (ICF). The ICF provides a container that separates the connector bundle from the application. The ICF also provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. For more information about the ICF, see Chapter 1, "Identity Connectors Overview".

The Google Apps connector is new to Oracle Waveset, and there is not a corresponding resource adapter.

This section provides the following additional information about the Google Apps connector:

Google Apps Connector Architecture
Google Apps Connector Features
Configuration Properties for the Google Apps Connector
Resource Object Management for the Google Apps Connector

6.1.1.1 Google Apps Connector Architecture

The following figure shows the Google Apps connector architecture.

Figure 6-1 Google Apps Connector Architecture

Description of "Figure 6-1 Google Apps Connector Architecture"

The Google Apps connector architecture includes these components:

Oracle Waveset includes the connector integration files. These files are XML files that provide the configuration information necessary to transform data from a resource to Oracle Waveset. Integration files are sometimes called the connector "glue" code.
The Identity Connector Framework (ICF) provides a container that separates the connector bundle from the application. The ICF also provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering.
The Google Apps connector bundle uses the Google Apps Provisioning API to access the Google Apps target system. For the specific helper libraries used to talk to this API, see Certified Components for the Google Apps Connector.

6.1.1.2 Google Apps Connector Features

The Google Apps connector supports these provisioning operations:

Create account
Update account
Delete account
Enable/disable account
Update password
Full reconciliation
Filtering
Agentless target deployment

6.1.1.3 Configuration Properties for the Google Apps Connector

The following table describes the configuration parameters for the Google Apps connector.

Table 6-1 Configuration Properties for the Google Apps Connector

Property	Description
Google Apps Domain Admin URL	URL for the Google Apps domain. The default value of `https://www.google.com/a/feeds/mydomain.com` must be changed.
Domain	Name of your Google Apps domain. The default value of `mydomain.com` must be changed.
Login	Administrator account for the Google Apps domain. This administrator must have rights to create and manage users. The name should not include the @domain component.
Password	Administrator password.
Proxy Host	Proxy host name. Specify this field when the connector is to be used in the network protected by a web proxy. Consult with your network administrator for more information about proxy configuration.
Proxy Port	Port of the web proxy.
Proxy Username	Account name to use for the proxy.
Proxy Password	Password for the account specified in the Proxy Username field.

6.1.1.4 Resource Object Management for the Google Apps Connector

Oracle Waveset manages the following Google Apps objects:

Table 6-2 Resource Object Management for the Google Apps Connector

ResourceObject Supported Features Attributes Managed

ResourceObject	Supported Features	Attributes Managed
Account (`__ACCOUNT__` object class)	Create, update, delete, enable/disable, full reconciliation	__NAME__, familyName, givenName, quota, nicknames, groups, __PASSWORD__, __ENABLE__, isAdmin, changePasswordAtNextLogin
Group (`__GROUP__` object class)	Create, update, delete	__NAME__, groupName, groupDescription, groupPermissions, owners, members

Account

(__ACCOUNT__ object class)

Create, update, delete, enable/disable, full reconciliation

__NAME__, familyName, givenName, quota, nicknames, groups, __PASSWORD__, __ENABLE__, isAdmin, changePasswordAtNextLogin

Group

(__GROUP__ object class)

Create, update, delete

__NAME__, groupName, groupDescription, groupPermissions, owners, members

Note:

The __NAME__ attribute is not updatable. For more information, see Object Classes and Attributes Supported by the Google Apps Connector.

6.1.2 Security Considerations for the Google Apps Connector

This section provides the following information:

Supported Connections for the Google Apps Connector
Required Administrator Privileges for the Google Apps Connector

6.1.2.1 Supported Connections for the Google Apps Connector

The Google Apps connector supports the HTTPS protocol.

Note:

The Google Apps Connector uses the Google Apps Provisioning API to talk to Google Apps. The HTTPS protocol is used to communicate with the Google Apps Provisioning API web services. Depending on your application server configuration, you might need to import Google certificates to your application server keystore or truststore. Appropriate certificates can be extracted from the following URLs:

https://www.google.com/a/feeds/yourdomain/user/2.0/
https://www.google.com/a/feeds/yourdomain/nickname/2.0/
https://apps-apis.google.com/a/feeds/group/2.0/

In the first two URLs, yourdomain represents your specific domain.

6.1.2.2 Required Administrator Privileges for the Google Apps Connector

The user name that connects to Google Apps must be able to create, edit, and delete accounts and groups.

6.1.3 Certified Components for the Google Apps Connector

The Google Apps connector for Oracle Waveset is certified with the following components:

Table 6-3 Certified Components for the Google Apps Connector

Component	Requirement
Oracle Waveset	Oracle Waveset 8.1.1 Patch 6
Identity Connector Framework (ICF)	ICF 1.1 or later
Google Apps	Google Data Java Client 1.33 and Google Collections 1.0-rc1

6.1.4 Supported Languages for the Google Apps Connector

The Google Apps connector is localized in the following languages:

Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

6.2 Deploying the Google Apps Connector

Deploying the Google Apps requires the following tasks:

Installing the Google Apps Connector
Creating a Google Apps Connector Resource

6.2.1 Installing the Google Apps Connector

To install the Google Apps connector, you must have access to the file system on the application server.

Make sure you have installed Oracle Waveset with the patch shown in Certified Components for the Google Apps Connector.
Download the Google Data Java Client 1.33 and Google Collections 1.0-rc1 from the following locations:
- Google Data Java Client 1.33 at http://code.google.com/p/gdata-java-client.
  
  gdata-appsforyourdomain-1.0.jar
  
  gdata-client-1.0.jar
  
  gdata-core-1.0.jar
- Google Collections 1.0-rc1 at http://code.google.com/p/google-collections/.
  
  google-collect-1.0-rc1.jar
To find a specific library, on each page, click the Downloads tab, select All downloads in the Search drop-down menu, and then click Search. Download the appropriate version of the library ZIP file and then extract and use the JAR files listed above.
Stop the Oracle Waveset web application.
Copy the Google Apps JAR files from Step 2 to the InstallDir/WEB-INF/lib directory on the application server.
Start the Oracle Waveset web application.
Log in to the Oracle Waveset Administrator interface and select the Google Apps connector.

6.2.2 Creating a Google Apps Connector Resource

To create a Google Apps connector resource in Oracle Waveset, follow these steps:

Make sure you have installed Oracle Waveset with the patch shown in Certified Components for the Google Apps Connector.
Log in to the Oracle Waveset Administrator interface.
Create the Google Apps connector resource by following the Create Google Apps Connector Resource wizard.
Specify values for the configuration parameters, as described in Configuration Properties for the Google Apps Connector.

For additional information about creating resources, see "Understanding and Managing Waveset Resources" in the Oracle Waveset 8.1.1 Business Administrator's Guide.

6.3 Using the Google Apps Connector

This section provides information related to using the Google Apps connector, including:

Object Classes and Attributes Supported by the Google Apps Connector
Sample Forms for the Google Apps Connector

6.3.1 Object Classes and Attributes Supported by the Google Apps Connector

The Google Apps connector for Oracle Waveset supports the following object classes:

__ACCOUNT__ Object Class for the Google Apps Connector
__GROUP__ Object Class for the Google Apps Connector
Attribute Mapping Changes

6.3.1.1 `ACCOUNT` Object Class for the Google Apps Connector

The Google Apps connector supports the __ACCOUNT__ object class (Google Apps User) and the attributes shown in the following table. Unless noted in the description, an attribute is creatable, updatable, readable, and returned by default.

Table 6-4 __ACCOUNT__ Object Class for the Google Apps Connector

Attribute Name	Type	Required	Description
`__NAME__`	String	Yes	User's account name. Not updatable.
`familyName`	String	Yes	User's last name.
`givenName`	String	Yes	User's first name.
`quota`	Integer	No	Disk space in megabytes (MB) allocated for this user. Note: The default value is 25 GB for each user account. This field is not updatable. To set user account quotas, a domain must have a Google agreement.
`nicknames`	String	No	Other names this user is known by. Can be multi-valued. Not returned by default.
`groups`	String	No	Groups this user is a member of. Can be multi-valued. Not returned by default.
`__PASSWORD__`	GuardedString	Yes	User's password. Not readable and not returned by default.
`__ENABLE__`	Boolean	No	If set to `true`, enables this user.
`isAdmin`	Boolean	No	If set to `true`, allows this user to be assigned admin privileges. Default is `false`.
`changePasswordAtNextLogin`	Boolean	No	If set to `true`, forces this user to change his or her password at the next login. Default is `false`.

6.3.1.2 `GROUP` Object Class for the Google Apps Connector

The Google Apps connector supports the __GROUP__ object class (Google Apps Group) and the attributes shown in the following table. Unless noted in the description, an attribute is creatable, updatable, readable, and returned by default.

Table 6-5 __GROUP__ Object Class for the Google Apps Connector

Attribute Name	Type	Required	Description
`__NAME__`	String	Yes	Not updatable.
`groupName`	String	Yes	Name of this group.
`groupDescription`	String	Yes	Description of this group.
`groupPermissions`	String	Yes	Permissions for this group.
`owners`	String	No	Owners of this group. Can be multi-valued. Not returned by default.
`members`	String	No	Members of this group. Can be multi-valued. Not returned by default.

6.3.1.3 Attribute Mapping Changes

Post processing (postProcess.xml) changes the attribute mapping shown in the following table. The other Google Apps connector attributes are mapped to the Oracle Waveset attributes with the same names.

Table 6-6 Attribute Mapping Changes

Oracle Waveset Attribute	Type	Google Apps Connector Attribute	Type
`firstname`	String	`givenName`	String
`lastname`	String	`familyName`	String

6.3.2 Sample Forms for the Google Apps Connector

The Google Apps connector for Oracle Waveset provides the following sample forms, located in the sample/connectors/googleapps-idmglue directory:

userForm.xml
groupCreate.xml
groupUpdate.xml

After you install the Google Apps connector, the sample forms usually requires some modification, depending on your deployment.

For example, to support the Google Apps sample user form, modify the Tabbed User Form as follows:

Go to Oracle Waveset debug page:
```
http://host_name:port/idm/debug
```
Select User Form from the drop-down box, which is adjacent to List Objects, and then click on List Objects.
Search for the Tabbed User Form and then click Edit.
Make the following changes in the Tabbed User Form:
1. Add the Google Apps sample user form inside the <Include> tag, as follows:
```
<Include>
...
<ObjectRef type='UserForm' name='Google Apps IdC User Form'/>
</Include>
```
2. Add the following <FormRef...> element before the <FormRef name='MissingFields'/> tag:
```
<FormRef name='Google Apps IdC User Form'>
    <Property name='RESOURCE_NAME' value='GoogleApps'/>
</FormRef>
```
3. In the <FormRef...> element you added in the previous step, set the RESOURCE_NAME property value to the name of the specific Google Apps resource.

6.4 Troubleshooting the Google Apps Connector

Use the Oracle Waveset debug pages to set trace options on the org.identityconnectors.googleapps.* or org.identityconnectors.* packages.

If you want to narrow the scope of the trace, use one or more of the following classes, listed in order or priority:

org.identityconnectors.googleapps.GoogleAppsConnector
org.identityconnectors.googleapps.GoogleAppsUserOps
org.identityconnectors.googleapps.GoogleAppsGroupOps
org.identityconnectors.googleapps.GoogleAppsClient