1 About the Google Apps Connector
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
The following sections provide a high-level overview of the connector:
1.1 Certified Components
These are the software components and their versions required for installing and using the connector.
Table 1-1 Certified Components
| Component | Requirement for AOB Application | Requirement for CI-Based Connector |
|---|---|---|
|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases:
|
You can use one of the following releases:
|
|
Target systems |
Google Apps |
Google Apps |
|
Connector Server |
11.1.2.1.0 |
11.1.2.1.0 |
|
Connector Server JDK |
JDK 1.6 or later |
JDK 1.6 or later |
1.2 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
French (Canadian)
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.3 Usage Recommendation
These are the recommendations for the Google Apps connector versions that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
-
If you are using Oracle Identity Governance 12c (12.2.1.3.0), then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
-
If you are using Oracle Identity Manager release 11.1.2.3.0, then use the 11.1.x version of the Google Apps connector. If you want to use the 12.2.1.x version of this connector with Oracle Identity Manager release 11.1.2.3.0, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.
Note:
If you are using the latest 12.2.1.x version of the Google Apps connector in the CI-based mode, then see Oracle Identity Manager Connector Guide for Google Apps, Release 11.1.1 for complete details on connector deployment, usage, and customization.
1.4 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
| Operation | Supported? |
|---|---|
|
User Management |
|
|
Create user |
Yes |
|
Update user |
Yes |
|
Delete User |
Yes |
|
Enable user |
Yes |
|
Disable user |
Yes |
|
Change or Reset password |
Yes |
|
Entitlement Grant Management |
|
|
Add Groups |
Yes |
|
Update Groups |
Yes |
|
Remove Groups |
Yes |
Note:
All the connector artifacts required for managing groups (for example groups attribute mappings, reconciliation rules, jobs, and so on) are not visible in the Applications UI in Identity Self Service. However, all the required information is available in the predefined application templates of the connector installation package. For more information about the artifacts related to groups, see Connector Objects Used for Groups Management.1.5 Connector Architecture
The Google Apps connector enables management of accounts on the target system through Oracle Identity Governance.
Figure 1-1 shows architecture of the Google Apps connector.
Figure 1-1 Architecture of the Google Apps Connector
Description of "Figure 1-1 Architecture of the Google Apps Connector "
As shown in this figure, Google Apps is configured as a target resource of Oracle Identity Governance. Through provisioning operations performed on Oracle Identity Governance, accounts are created and updated on the target system for OIM Users. Through reconciliation, account data that is created and updated directly on the target system is fetched into Oracle Identity Governance and stored against the corresponding OIM Users.
The Google Apps connector is implemented by using the Identity Connector Framework (ICF). ICF is distributed together with Oracle Identity Governance. You do not need to configure or modify ICF.
During provisioning, the Adapters invoke an ICF operation, ICF inturn invokes an operation on the Google Apps Identity Connector Bundle and then the bundle calls the appropriate APIs of the Google Apps Admin SDK. These APIs on the target system accept provisioning data from the bundle, carry out the required operation on the target system, and return the response from the target system back to the bundle, which passes it to the adapters.
During reconciliation, a scheduled task invokes ICF operation, ICF inturn invokes a search operation on the Google Apps Identity Connector Bundle and then the bundle calls the appropriate APIs of the Google Apps Admin SDK. These APIs extract user records that match the reconciliation criteria and hand them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.
See Also:
Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about ICF
Each record fetched from the target system is compared with Google Apps resources that are already provisioned to OIM Users. If a match is found, then the update made to the Google Apps record from the target system is copied to the Google Apps resource in Oracle Identity Governance. If no match is found, then the user ID of the record is compared with the user ID of each OIM User. If a match is found, then data in the target system record is used to provision a Google Apps resource to the OIM User.
The Google Apps Identity Connector Bundle communicates with the Google Apps Admin SDK's Directory API using the HTTPS protocol. Internally, the library uses the java.net.HttpURLConnection class. When you create an application and start using the connector, it sets the following system properties for configuring the proxy for the connections created by the HttpURLConnection class:
-
https.proxyPort
-
https.proxyHost
Note:
Setting of these system properties might have an impact on the JVM and all other classes that use the HttpURLConnection class.
In addition, to support user name/password based proxy authentication, the connector provides and registers an implementation of the java.net.Authenticator class.
Depending on your application server configuration, it might be necessary to import Google certificates to application server keystore/truststore.
1.6 Connector Features
The features of the connector include support for connector server, connector operations in multiple domains, full reconciliation, batched reconciliation, and reconciliation of account status and deleted account data.
Table 1-3 provides the list of features supported by the AOB application and CI-based connector.
Table 1-3 Supported Connector Features Matrix
| Feature | AOB Application | CI-Based Connector |
|---|---|---|
|
Full reconciliation |
Yes |
Yes |
|
Limited reconciliation |
Yes |
Yes |
|
Batched reconciliation |
Yes |
Yes |
|
Connection pooling |
Yes |
Yes |
|
Use connector server |
Yes |
Yes |
|
Clone applications or create new application instances |
Yes |
Yes |
|
Transformation and validation of account data |
Yes |
Yes |
|
Reconcile user account status |
Yes |
Yes |
|
Reconcile deleted account data |
Yes |
Yes |
|
Perform connector operations in multiple domains |
Yes |
Yes |
|
Test connection |
Yes |
No |
The following topics provide more information on the features of the AOB application:
1.6.1 Full Reconciliation
In full reconciliation, all records are fetched from the target system to Oracle Identity Governance.
Note:
The connector cannot support incremental reconciliation because the target system does not provide a way for tracking the time at which account data is created or modified.
For more information, see Performing Full Reconciliation.
1.6.2 Limited Reconciliation
You can reconcile records from the target system based on a specified filter criterion. To limit or filter the records that are fetched into Oracle Identity Governance during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
You can set a reconciliation filter as the value of the Filter Suffix attribute of the user reconciliation scheduled job. The Filter Suffix attribute helps you to assign filters to the API based on which you get a filtered response from the target system.
For more information, see Performing Limited Reconciliation.
1.6.3 Batched Reconciliation
You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.
For more information, see Performing Batched Reconciliation.
1.6.4 Connection Pooling
A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Governance connectors can use these connections to communicate with target systems.
At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each set of basic configuration parameters that you provide while creating an application. For example, if you have three applications for three installations of the target system, then three connection pools will be created, one for each target system installation.
For more information about the parameters that you can configure for connection pooling, see Advanced Settings Parameters.
1.6.5 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not want to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements if the bundle works faster when deployed on the same host as the native managed resource.
See Also:
Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about installing and configuring connector server and running the connector server
1.6.6 Support for Cloning Applications and Creating Instance Applications
You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.
When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.
For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.6.7 Support for Reconciliation of Account Status
Support for reconciliation of account status is one of the features where the connector fetches the status information during a reconciliation operation.
During a reconciliation run, the connector can fetch status information along with the rest of the account data.
1.6.8 Support for Reconciliation of Deleted Account Data
The Google Apps Target Resource User Delete Reconciliation scheduled task can be used to fetch details of deleted target system users.
This information is used to revoke the corresponding Google Apps resources from OIM Users.
1.6.9 Support for Connector Operations in Multiple Domains
By default, this connector supports reconciliation and provisioning operations within a single domain. However, you can configure the connector for performing connector operations in more than one domain by specifying a value for the supportMultipleDomain parameter in Advanced Settings.
For more information, see Advanced Settings Parameters.
1.6.10 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.