3 Configuring the Google Apps Connector
While creating a target application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system attributes, predefined correlation rules, situations and responses, and reconciliation jobs.
3.1 Basic Configuration Parameters
These are the connection-related parameters that Oracle Identity Governance requires to connect to Google Apps.
Table 3-1 Basic Configuration Parameters for Google Apps
| Parameter | Mandatory? | Description |
|---|---|---|
|
Service Account ID |
Yes |
Enter the email address of the service account created. |
|
Service Account User |
Yes |
Enter the user name of account that you created to log in to the client application. Sample value: |
|
Service Account Private Key |
Yes |
Enter the name and complete path to the directory containing the private key. This is the same location to which the private key is saved in when you perform the procedure described in Configuring the Target System. Sample value: |
|
Google Application Name |
Yes |
Enter the name of the project that was created as part of registering the client application. |
|
Google Domain Name |
Yes |
Enter the name of your Google Apps domain. Sample value: |
|
Scope |
Yes |
Enter the scope of your client application. Default value: |
|
Connector Server Name |
No |
If you are using the Google Apps Connector together with a Java Connector Server, then enter the name of Connector Server IT resource. |
|
Proxy Host |
No |
Enter the proxy host name. This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration. |
|
Proxy Password |
No |
Enter the proxy password. This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration. |
|
Proxy Port |
No |
Enter the proxy port number. This is useful when a connector must be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration. |
|
Proxy Username |
No |
Enter the proxy user name. This is useful when a connector is to be used in the network protected by the web proxy. Check with your network administrator for more information about proxy configuration. |
3.2 Advanced Settings Parameters
These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.
Table 3-2 Advanced Settings Parameters
| Parameter | Mandatory? | Description |
|---|---|---|
|
Connector Name |
Yes |
This parameter holds the name of the connector class. Default value: |
|
Connector Package Name |
Yes |
This parameter holds the name of the connector bundle package. Default value: |
|
Connector Package Version |
Yes |
This parameter hods the version of the connector bundle class. Default value: |
|
Pool Max Idle |
No |
Maximum number of idle objects in a pool. Sample value: |
|
Pool Max Size |
No |
Maximum number of connections that the pool can create. Sample value: |
|
Pool Max Wait |
No |
Maximum time, in milliseconds, the pool must wait for a free object to make itself available to be consumed for an operation. Sample value: |
|
Pool Min Evict Idle Time |
No |
Minimum time, in milliseconds, the connector must wait before evicting an idle object. Sample value: |
|
Pool Min Idle |
No |
Minimum number of idle objects in a pool. Sample value: |
|
supportMultipleDomain |
No |
This entry specifies whether the connector can perform connector operations in a single or multiple domain. By default, the connector performs connector operations only on the domain specified as the value of the Google Domain Name basic configuration parameter. Set the value of this entry to true if you want the connector to perform connector operations in all the domains present in Google Apps. Default value: |
3.3 Attribute Mappings
The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.
Google Apps User Account Attributes
Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Google Apps attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-3 Default Attribute Mappings for GoogleApps User Account
| Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? |
|---|---|---|---|---|---|---|---|
|
Account Name |
__NAME__ |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
|
Family Name |
familyName |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
|
Given Name |
givenName |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
|
Is Admin |
isAdmin |
Boolean |
No |
Yes |
Yes |
No |
Not applicable |
|
Unique Id |
__UID__ |
String |
No |
Yes |
Yes |
Yes |
No |
|
Change Password At Next Login |
changePasswordAtNextLogin |
Boolean |
No |
Yes |
Yes |
No |
Not applicable |
|
OrgUnit Path |
orgunitpath |
String |
No |
Yes |
Yes |
No |
Not applicable |
|
Status |
__ENABLE__ |
String |
No |
No |
Yes |
No |
Not applicable |
|
Password |
__PASSWORD__ |
String |
No |
Yes |
No |
No |
Not applicable |
Figure 3-1 shows the default User account attribute mappings.
Figure 3-1 Default Attribute Mappings for GoogleApps User Account
Description of "Figure 3-1 Default Attribute Mappings for GoogleApps User Account"
Nick Names Child Attributes
Table 3-4 lists the attribute mappings for nick names between the process form fields in Oracle Identity Governance and Google Apps attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-4 Default Attribute Mappings for Google Apps Nick Names
| Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field | Key Field? | Case Insensitive? |
|---|---|---|---|---|---|---|
|
Nick Name |
aliases |
String |
No |
Yes |
Yes |
No |
Figure 3-2 shows the default Nick Names child attribute mapping.
Figure 3-2 Default Attribute Mappings for the Nick Names
Description of "Figure 3-2 Default Attribute Mappings for the Nick Names"
Group Names Child Attributes
Table 3-5 lists the attribute mappings for group names between the process form fields in Oracle Identity Governance and Google Apps attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-5 Default Attribute Mappings for Google Apps Group Names
| Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field | Key Field? | Case Insensitive? |
|---|---|---|---|---|---|---|
|
Group Name |
groups |
String |
No |
Yes |
Yes |
No |
Figure 3-3 shows the default Group Names child attribute mapping.
Figure 3-3 Default Attribute Mappings for the Group Names
Description of "Figure 3-3 Default Attribute Mappings for the Group Names"
3.3.1 Supported Attributes
While the Google Apps connector provides support for few single-valued attributes and few multi-valued attributes, it does not extend support for other multi-valued attributes or single valued custom attributes such as Department or Job Title.
The following Out of the Box and additional single valued attributes are supported by the Google Apps connector:
Table 3-6 Supported Attributes
| Supported Out of the Box Attributes | Supported Additional Attributes |
|---|---|
| __NAME__ | isDelegatedAdmin |
| __UID__ | agreedToTerms |
| __PASSWORD__ | hashFunction |
| familyName | suspended |
| givenName | suspensionReason |
| isAdmin | ipWhitelisted |
| orgunitpath | customerId |
| changePasswordAtNextLogin | isMailboxSetup |
| groups | includeInGlobalAddressList |
| aliases | thumbnailPhotoUrl |
| lastLoginTime | |
| creationTime | |
| deletionTime |
3.4 Correlation Rules
When you create a Target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.
Predefined Identity Rules
By default, the Google Apps connector provides a complex correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
If required, you can edit the default correlation rule or add new rules. You can create simple correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
The following block of code lists the default complex correlation rule for a Google Apps application:
{
"ruleOperator": "OR",
"ruleElement": [
{
"targetAttribute": "__UID__",
"userAttribute": "GAPPS User GUID",
"elementOperator": "Equals",
"transformName": "None"
},
{
"targetAttribute": "__NAME__",
"userAttribute": "User Login",
"elementOperator": "Equals",
"transformName": "Tokenize",
"transformParams": [
{
"name": "Space Delimiter",
"value": "FALSE"
},
{
"name": "Token Number",
"value": "1"
},
{
"name": "Delimiters",
"value": "'@'"
}
]
}
]
}The preceding complex rule consists of 2 rule elements that are joined by the rule operator OR.
The first rule element is:
__UID__ equals GAPPS User GUID.
-
__UID__ is an attribute on the target system that uniquely identifies the user account.
-
GAPPS User GUID is a field on the OIM User form that holds the unique ID of the Google Apps user.
The second rule element is:
Tokenize (__NAME__) equals User Login.
-
Tokenize (__NAME__) is the name part in the email address of the Google Apps account.
-
User Login is the field on the OIM User form.
Predefined Situations and Responses
The Google Apps connector provides a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-7 lists the default situations and responses for the Google Apps application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance
Table 3-7 Predefined Situations and Responses for Google Apps
| Situation | Response |
|---|---|
|
No Matches Found |
Create User |
|
One Entity Match Found |
Establish Link |
|
One Process Match Found |
Establish Link |
Figure 3-4 shows the situations and responses that the connector provides by default.
Figure 3-4 Predefined Situations and Responses for Google Apps
Description of "Figure 3-4 Predefined Situations and Responses for Google Apps"
3.5 Reconciliation Jobs
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.
User Reconciliation Job
You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
The Google Apps Target Resource User Reconciliation job is used to reconcile user data from a target application.
Table 3-8 Parameters of the Google Apps Target Resource User Reconciliation Job
| Parameter | Description |
|---|---|
|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
|
Filter |
This attribute holds the ICF Filter written using ICF-Common Groovy DSL. See Performing Limited Reconciliation for more information about this attribute. |
|
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Delete User Reconciliation Job
The Google Apps Target Resource User Delete Reconciliation job is used to reconcile deleted user data from a target application.
Table 3-9 Parameters of the Google Apps Target Resource User Delete Reconciliation Job
| Parameter | Description |
|---|---|
|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
|
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Reconciliation Jobs for Entitlements
The GoogleApps Group Lookup Reconciliation job is available for reconciling entitlements.
Table 3-10 Parameters of the GoogleApps Group Lookup Reconciliation Jobs
| Parameter | Description |
|---|---|
|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system. |
|
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
|
Decode Attribute |
Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
|
Lookup Name |
This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Default value: |
|
Object Type |
Enter the type of object whose values must be synchronized. Default value: Note: Do not change the value of this attribute. |