Managing Google Apps accounts with CzechIdM

In this article we will show how to manage Google Apps accounts with CzechIdM.

What is CzechIdM

CzechIdM is an Identity Management solution. This means it automatically manages user accounts and privileges in order to improve overall infrastructure security. Every change regarding users and privileges is audited. As a result, CzechIdM creates system environment where the user privileges are clearly defined. It also ensures user attributes consistency. Only the privileged persons can view or alter the user details and information.

 

What is Google Apps

Google Apps is a package of Google applications (Mail, Calendar, Docs, …) prepared for deployment on user’s own domain. It can be used by enterprises, public institutions or individuals.

CzechIdM talks to Apps through the connector. Connector is abstraction of the target application API. Developer can thus work with many different applications in unified manner – through connectors! This particular connector uses Google Provisioning API, which enables CzechIdM to create, update or delete user accounts in the Apps.

Connecting CzechIdM to Google Apps

Before connecting CzechIdM we will first need to allow Provisioning API use. In the Google Apps account settings, we go to the Domain settings -> User settings and check the Activate Provisioning API checkbox.

Google Apps administrace – povolení API

The connector is necessary for interconnecting CzechIdM with Google Apps. Because IdM is written in Java, we will use .jar version of the Apps connector. This connector is written as an open-source software, which can be downloaded from

http://wikis.sun.com/display/IdentityConnectors/Google+Apps+Connector

We will download the version 1.0.4455 and copy the .jar archive into CzechIdM connectors directory

$cp googleapps-1.0.4455.jar $JBOSS_DEPLOY_DIR/BCV_IdM-ear.ear/BCV_IdM-ejb.jar/META-INF/connectors/

Now we can start up the CzechIdM, log in and create new System type. We hit the New system type button and fill in the form. The name is some name we want for the system type. In the drop-down menu we choose the googleapps-1.0.4455.jar connector and then we save the form by clicking the Save button.

gg1

We created new system type and now we can use it. In the picture below, we can see the newly created system type.

gg2

Creating system type (if it doesn’t already exist) is necessary before we can actually connect the endpoint system. We can do it now so on the Systems tab we click on the New system button. We choose the system type we created earlier and hit Continue.

gg3

This bring us to the main settings of the new system. There we must fill out the credentials and another information necessary for connecting into Google Apps account. Fields of the form are self-explanatory, field Domain URL is the URL of Google Apps administration interface. By clicking on Test we can check if the settings are correct – CzechIdM will try to connect to the endpoint system.

gg4

If the connection to the Apps was successful. We can Continue. After creating the connection we need to map attributes from CzechIdM onto endpoint system attributes. For this, CzechIdM has schemas. Click on the Add chema button and create new schema called default. CzechIdM automatically loads attributes from the endpoint system. In the following form we can change the list of system account attributes and their mapping onto IdM user identity attributes. Once we are done, we click on the Save button.

gg5

After submitting the form with attributes mapping, CzechIdM will create new system. The system is called GA, as we specified in the wizard.

gg6

By clicking on the Show accounts we can check all accounts on the given system. The list will show all existing enabled accounts on the endpoint system whether they are linked to some IdM identity or not.

Creating Google Apps user account through CzechIdM

CzechIdM heavily relies on the role system. Basically, every privilege can be implemented by a role, including access to some systems. Therefore role can be enabled to fill user attributes on the system through the system attribute schema. First we create new role by visiting Roles tab and clicking New role button. We choose name for our new role, say, Google Apps access and on the subtab Resource schemas we add the GA default schema.

gg7

gg8

In the role list we can see newly created Google Apps access role.

gg9

Finally, we can create new user. Hit the tab Users and click on the New user button.

gg10

We fill out the personal info and password and then access User roles a controlled organisations. On this tab we add the Google Apps access role to our new user and hit Save.

gg11

gg12

Congratulations! We created new user with the Google Apps account in the checkidm.com domain. The new user is visible in the list of users. Also on the endpoint system the new account was created as we can see in the Google Apps administration.

gg13 

Conclusion

On the example of Google Apps we have demonstrated how easy is connecting an endpoint system to the CzechIdM. Or, if you like that better, how easy is to connect CzechIdM to an endpoint system. There are many nuances and options which we skipped – possibility of more schemas on the system, on-the-fly attribute transformation, etc. We will cover them next time. If you have any questions, I’m eager to answer them. Just drop the mail into petr.fiser@bcvsolutions.eu. :)

Leave a Reply