1.1 Driver Concepts

1.1.1 Data Transfer between Systems

The Identity Manager drivers support two data transfer channels between the Identity Vault and the connected system, called the Publisher and Subscriber channels. However, the Google Apps driver currently does not support the Publisher channel, so communication is one-way only, from the Identity Vault into Google Apps.

The Subscriber channel controls data transfer as follows:

  • It monitors the Identity Vault for new objects and changes to existing objects.

  • Any relevant changes are sent to the shim to be executed in the Google Apps system.

Through the use of filters and policies, the driver can be configured to control and manage what changes are detected and sent to Google Apps.

1.1.2 How the Driver Works

Figure 1-1 illustrates the data flow between Identity Manager and the Google Apps APIs :

Figure 1-1 Google Apps Driver Data Flow

The Identity Manager engine uses XDS, a specialized form of XML, to represent events in the Identity Vault. Identity Manager passes the XDS to the driver policy, which can consist of basic policies, DirXML Script, and XSLT style sheets.

After the driver policy has been applied, the driver shim communicates securely over HTTPS to the Google Apps APIs for your domain. The results are then communicated back to the driver. The driver then processes that information, converting it into an appropriate XDS that is reported back to the Identity Manager engine.

1.1.3 Understanding The Google APIs

Google has different APIs available for managing data into and out of the many different Google applications. The Identity Manager 4.0.1 driver supports the following APIs:

  • Provisioning API - The provisioning API is responsible for creating users and group objects. You must turn this API on inside the Google Apps control panel.

  • Profile API - The profile API allows extended attributes to be added to user objects. These include but are not limited to Title, Manager, Phone, Cell, Location, and Company. These attributes are displayed to all domain users in the address book (contacts).

  • Contact API - The contact API is similar to the Profile API but it creates a shared contact inside of the address book (contacts).

  • EMail Settings API - The e-mail API allows modification to the default behavior (as set in your Google Apps domain) for items related to e-mail.

The Contact and Profile API Add events do not appear in the Google Apps control panel and address book (contacts) for up to 24 hours. Modify events immediately.