NetIQ Documentation: Identity Manager 4.0 Driver for Google Apps Implementation Guide

1.1 Driver Concepts

1.1.1 Data Transfer between Systems

IDM drivers support two data transfer channels between the IDV and the connected system, called the Publisher and Subscriber channels. The Publisher channel handles data and events from the connected system into the IDV. The Subscriber channel handles data and events from the IDV into the connected system.The Google Apps driver only supports data transfers from the IDV into Google Apps. Communication is one-way only.

The Publisher Channel

The Publisher Channel is not currently supported by this driver.

The Subscriber Channel

Monitors the IDV for new objects and changes to existing objects.
Any relevant changes are sent to the shim to be executed in the Google Apps system.

Through the use of filters and policies, the driver can be configured to control and manage what changes are detected and sent to Google Apps.

1.1.2 How the Driver Works

The following diagram illustrates the data flow between Identity Manager and Google APS API’s:

Figure 1-1 Google Apps Driver Data Flow

The Identity Manager engine uses XDS, a specialized form of XML, to represent events in the Identity Vault. Identity Manager passes the XDS to the driver policy, which can consist of basic policies, DirXML Script, and XSLT style sheets.

After driver policy has been applied, the driver shim communicates securely over https to the Google Apps API's for your domain. The results are then communicated back to the driver. The driver then processes that information converting it into an appropriate XDS that is reported back to the Identity Manager engine.

1.1.3 Understanding The Goggle API’s

Google has many different API's available for managing data into and out of the many different Google applications. The 4.0.1 driver supports the following API's:

Provisioning API - The provisioning API is responsible for creating users and group objects. It is required to turn this API on inside the Google Apps control panel.
Profile API* - The profile API allows extended attributes to be added to user objects. These include but are not limited to Title, Manager, Phone, Cell, Location, Company. These attributes will be displayed to all domain users in the Address Book (Contacts).

Contact API* - The contact API is similar to the Profile API with the exception that it will create a Shared Contact inside of the Address Book (Contacts).
EMail Settings API - The email API allows modification to the default behavior (as set in your Google apps domain) for items related to email.

* The Contact and Profile API Add events do not show in the Google Apps Control Panel and Address Book (Contacts) for up to 24 hours. Modify events will show immediately.