1. Configuring the Google Cloud Platform Connector
  2. Introduction to the Connector

1 Introduction to the Connector

Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premise or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications. The Google Cloud Platform Connector lets you onboard applications, pertaining to the Google Cloud Platform target system, in Oracle Identity Governance.

Note:

In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application.

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Oracle Identity Self Service. This capability lets business users to onboard applications with minimum details and effort. The connector installation package includes a collection of predefined templates (XML files) that contain all the information required for provisioning and reconciling data from a given application or target system. These templates also include basic connectivity and configuration details specific to your target system. The connector uses information from these predefined templates allowing you to onboard your applications quickly and easily using only a single and simplified UI.

Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.

The following topics provide a high-level overview of the connector:

1.1 Certified Components

These are the software components and their versions required for installing and using the connector.

Table 1-1 Certified Components

Component Requirement for AOB Application
Oracle Identity Governance or Oracle Identity Manager

You can use any one of the following releases:

Oracle Identity Governance 12c PS4 (12.2.1.4.0) or later version

Oracle Identity Governance 12c PS3 (12.2.1.3.0) or later version
Oracle Identity Governance or Oracle Identity Manager JDK JDK 1.8 and later
Target systems Google Cloud Platform Connector or SDK version 1.32.1
Connector Server 11.1.2.1.0 or 12.2.1.3.0
Connector Server JDK JDK 1.8 and later

1.2 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Czech

  • Danish

  • Dutch

  • English

  • Finnish

  • French

  • French (Canadian)

  • German

  • Greek

  • Hebrew

  • Hungarian

  • Italian

  • Japanese

  • Korean

  • Norwegian

  • Polish

  • Portuguese

  • Portuguese (Brazilian)

  • Romanian

  • Russian

  • Slovak

  • Spanish

  • Swedish

  • Thai

  • Turkish

1.3 Usage Recommendation

If you are using Oracle Identity Governance 12c (12.2.1.3.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.

1.4 Support for Connector Operations

These are the list of operations that the connector supports for your target system.

Table 1-2 Supported Connector Operations

Operation Supported?
User Management -
Create user Yes
Update user Yes
Delete User Yes
Enable user Yes
Disable user Yes
Change or Reset password Yes
Add Child (Assign/Remove to a user account) -
Add/Remove Nick Names Yes
Entitlement Grant Management -
Add/Remove Admin Role Yes
Add/Remove Project Role Yes
Add/Remove Organization Role Yes
Add/Remove Group Yes
Group Management -
Add Group Yes
Update Group Yes
Remove Group Yes

Note:

All the required information is available in the predefined application templates of the connector installation package. For more information about the artifacts related to groups, see Connector Objects Used for Groups Management.

1.5 Connector Architecture

The Google Cloud Platform Connector enables management of accounts on the target system through Oracle Identity Governance.

Figure 1-1 shows architecture of the Google Cloud Platform connector.

Figure 1-1 Architecture of the Google Cloud Platform Connector


Shows the architecture of Google Cloud Platform Connector

As shown in this figure, Google Cloud Platform is configured as a target resource of Oracle Identity Governance. Through provisioning operations performed on Oracle Identity Governance, accounts are created and updated on the Google Admin Directory for OIM Users. Google Cloud Platform perspective, we’re managing the GCP specific Project Roles. Through reconciliation, account data that is created and updated directly on the target system is fetched into Oracle Identity Governance and stored against the corresponding OIM Users.

The Google Cloud Platform connector is implemented by using the Identity Connector Framework (ICF). ICF is distributed together with Oracle Identity Governance. You do not need to configure or modify ICF.

During provisioning, the Adapters invoke an ICF operation, ICF in turn invokes an operation on the Google Cloud Platform Identity Connector Bundle and then the bundle calls the appropriate APIs of the Google Cloud Platform Admin SDK. These APIs on the target system accept provisioning data from the bundle, carry out the required operation on the target system, and return the response from the target system back to the bundle, which passes it to the adapters.

During reconciliation, a scheduled task invokes ICF operation, ICF in turn invokes a search operation on the Google Cloud Platform Connector Bundle and then the bundle calls the appropriate APIs of the Google Cloud Platform Admin SDK. These APIs extract user records that match the reconciliation criteria and hand them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.

See Also:

Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about ICF

.

Each record fetched from the target system is compared with Google Cloud Platform resources that are already provisioned to OIM Users. If a match is found, then the update made to the Google Cloud Platform record from the target system is copied to the Google Cloud Platform resource in Oracle Identity Governance. If no match is found, then the user ID of the record is compared with the user ID of each OIM User. If a match is found, then data in the target system record is used to provision a Google Cloud Platform resource to the OIM User.

The Google Cloud Platform Identity Connector Bundle communicates with the Google Workspace Admin SDK's Directory API using the HTTPS protocol. Internally, the library uses the java.net.HttpURLConnection class. When you create an application and start using the connector, it sets the following system properties for configuring the proxy for the connections created by the HttpURLConnection class:

  • https.proxyPort

  • https.proxyHost

Note:

Setting of these system properties might have an impact on the JVM and all other classes that use the HttpURLConnection class.

In addition, to support user name/password based proxy authentication, the connector provides and registers an implementation of the java.net.Authenticator class.

Depending on your application server configuration, it might be necessary to import Google certificates to application server keystore/truststore.

We are using following Google API Services for our connector operations.
  • Google Admin SDK
  • Cloud Resource Manager
  • Identity and Access Management(IAM)
  • Groups Settings

1.6 Connector Features

The features of the connector include support for connector server, connector operations in multiple domains, full reconciliation, batched reconciliation, and reconciliation of account status and deleted account data.

Table 1-3 provides the list of features supported by the AOB application connector.

Table 1-3 Supported Connector Features Matrix

Feature AOB Application
User provisioning Yes
Full reconciliation Yes
Limited reconciliation Yes
Batched reconciliation Yes
Connection pooling Yes
Use connector server Yes
Clone applications or create new application instances Yes
Transformation and validation of account data Yes
Reconcile user account status Yes
Reconcile deleted account data Yes
Perform connector operations in multiple domains Yes
Test connection Yes
Reset password Yes
Group assignment Yes
Role Assignment Yes

The following topics provide more information on the features of the AOB application:

1.6.1 User Provisioning

User provisioning involves creating or modifying the account data on the target system through Oracle Identity Governance.

For more information about it, see Performing Provisioning Operations.

1.6.2 Full Reconciliation

In full reconciliation, all records are fetched from the target system to Oracle Identity Governance.

Note:

The connector cannot support incremental reconciliation because the target system does not provide a way for tracking the time at which account data is created or modified.

For more information, see Performing Full Reconciliation.

1.6.3 Limited Reconciliation

You can reconcile records from the target system based on a specified filter criterion. To limit or filter the records that are fetched into Oracle Identity Governance during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.

You can set a reconciliation filter as the value of the Filter Suffix attribute of the user reconciliation scheduled job. The Filter Suffix attribute helps you to assign filters to the API based on which you get a filtered response from the target system.

For more information, see Performing Limited Reconciliation.

1.6.4 Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

For more information, see Performing Batched Reconciliation.

1.6.5 Connection Pooling

A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Governance connectors can use these connections to communicate with target systems.

At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.

One connection pool is created for each set of basic configuration parameters that you provide while creating an application. For example, if you have three applications for three installations of the target system, then three connection pools will be created, one for each target system installation.

For more information about the parameters that you can configure for connection pooling, see Advanced Settings Parameters.

1.6.6 Support for the Connector Server

Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.

A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.

For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

1.6.7 Support for Cloning Applications and Creating Instance Applications

You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.

When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.

For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

1.6.8 Support for Reconciliation of Account Status

Support for reconciliation of account status is one of the features where the connector fetches the status information during a reconciliation operation.

During a reconciliation run, the connector can fetch status information along with the rest of the account data.

1.6.9 Support for Reconciliation of Deleted Account Data

The Google Cloud Platform Target Resource User Delete Reconciliation scheduled task can be used to fetch details of deleted target system users.

This information is used to revoke the corresponding Google Cloud Platform resources from OIM Users.

1.6.10 Support for Connector Operations in Multiple Domains

By default, this connector supports reconciliation and provisioning operations within a single domain. However, you can configure the connector for performing connector operations in more than one domain by specifying a value for the supportMultipleDomain parameter in Advance Settings.

For more information, see Advanced Settings Parameters.

1.6.11 Transformation and Validation of Account Data

You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.

For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.