Enabling access to Google Apps through Oracle IDM
By Darin_Pendergraft_Oracle on Mar 25, 2014
Guest blog by Anand Murugesan
Adoption of cloud is enabling organizations to rapidly increase capacity and employee productivity while reducing their cost. IT organizations are trying to play catchup to this accelerating trend and are faced with technological obstacles in enabling access to cloud applications. When it comes to enabling employee access to cloud applications, organizations today are using cumbersome techniques including manual provisioning and de-provisioning process that causes delay in cloud enablement. More over it leaves security vulnerabilities when employees leave the company or move between organizations. Oracle Identity and Access Management suite (Oracle IAM Suite) addresses these issues with right set of technologies and tools to fast-track cloud adoption. In this article we will discuss how organizations can enable their users to access Google Applications.
Organizations can integrate Oracle IAM Suite with Google Applications through either Identity Federation or Identity Synchronization techniques. The choice depends on the type of access needed for Google Applications.
First option is to use SAML 2.0 based Federation standards to integrate with Google Apps. As per Google, “Google Apps offers a SAML-based Single Sign-On (SSO) service that provides customers with full control over the authorization and authentication of hosted user accounts that can access web-based applications like Gmail or Google Calendar.” In this case Google Apps works as a Service Provider (SP). Oracle Identity and Access Management Federation Service acts as an Identity Provider (IdP). With this type of integration, when accessing the Google Apps through a web browser, the user is redirected to Federation Service hosted by customer for authentication. Once authentication is complete the user is redirected back to Google Apps. Federation Services supports both logout initiated by SP and IdP. Customer still maintains full control of who has access to Google Apps.
Second option is to use two-way identity synchronization techniques. Google Apps connector that ships with Oracle Identity Manager (part of Oracle IAM Suite) keeps both on-premise and cloud identities in sync. This connector manages Google Apps as a ‘managed target resource’, enabling data about users created or modified directly on Google Apps to be reconciled into Oracle Identity Manager. More over the user accounts can be provisioned into Google Apps from Oracle Identity Manager.
Both Federation and Identity Synchronization techniques enable seamless integration with Google Apps. When would you choose one over the other? If the customer needs to enable only the web browser based access to the Google Application to their users, then SAML based Federation would be sufficient. Setting up Federation is fairly simple process. For more information refer to this white paper. On the other hand, if the customer wants to enable user access beyond web browser to desktop or mobile clients such as outlook for Google Apps, identity synchronization would be a better option. For more information on how to setup Google Connector, please refer to Oracle Identity Manager Google Apps Connector documentation.
Adoption of cloud is enabling organizations to rapidly increase capacity and employee productivity while reducing their cost. IT organizations are trying to play catchup to this accelerating trend and are faced with technological obstacles in enabling access to cloud applications. When it comes to enabling employee access to cloud applications, organizations today are using cumbersome techniques including manual provisioning and de-provisioning process that causes delay in cloud enablement. More over it leaves security vulnerabilities when employees leave the company or move between organizations. Oracle Identity and Access Management suite (Oracle IAM Suite) addresses these issues with right set of technologies and tools to fast-track cloud adoption. In this article we will discuss how organizations can enable their users to access Google Applications.
Organizations can integrate Oracle IAM Suite with Google Applications through either Identity Federation or Identity Synchronization techniques. The choice depends on the type of access needed for Google Applications.
First option is to use SAML 2.0 based Federation standards to integrate with Google Apps. As per Google, “Google Apps offers a SAML-based Single Sign-On (SSO) service that provides customers with full control over the authorization and authentication of hosted user accounts that can access web-based applications like Gmail or Google Calendar.” In this case Google Apps works as a Service Provider (SP). Oracle Identity and Access Management Federation Service acts as an Identity Provider (IdP). With this type of integration, when accessing the Google Apps through a web browser, the user is redirected to Federation Service hosted by customer for authentication. Once authentication is complete the user is redirected back to Google Apps. Federation Services supports both logout initiated by SP and IdP. Customer still maintains full control of who has access to Google Apps.
Second option is to use two-way identity synchronization techniques. Google Apps connector that ships with Oracle Identity Manager (part of Oracle IAM Suite) keeps both on-premise and cloud identities in sync. This connector manages Google Apps as a ‘managed target resource’, enabling data about users created or modified directly on Google Apps to be reconciled into Oracle Identity Manager. More over the user accounts can be provisioned into Google Apps from Oracle Identity Manager.
Both Federation and Identity Synchronization techniques enable seamless integration with Google Apps. When would you choose one over the other? If the customer needs to enable only the web browser based access to the Google Application to their users, then SAML based Federation would be sufficient. Setting up Federation is fairly simple process. For more information refer to this white paper. On the other hand, if the customer wants to enable user access beyond web browser to desktop or mobile clients such as outlook for Google Apps, identity synchronization would be a better option. For more information on how to setup Google Connector, please refer to Oracle Identity Manager Google Apps Connector documentation.
