Salesforce.com / OBIEE Dashboard Integration

[Sandy]

Hi,

Does anyone have any recommendations for handling the following requirements?

• The client would like to have the ability to allow external users log into salesforce.com and click on a tab which will launch OBIEE.  
• OBIEE sits within the organization's domain (and must remain within the domain). 
• We understand that there is a need to configure OBIEE so it leverages HTTPS.

Our biggest issue is understanding if there are any ways to pass a token between Salesforce and OBIEE such that OBIEE knows that this request came directly from Salesforce. 

Thoughts?

Thanks for your help!

Sandy

[nge...@gmail.com]

Hi Sandy,

This is one of my favorite topics. You'd be surprised how may customers have grand visions of this implementation with Salesforce.com and OBIEE but stop short due to lack of in-house skills, when their vision gets derailed by lack of infrastructure, or they settle on a very basic integration of simply adding a tab to the Salesforce.com portal which has a local network URL reference to their OBIEE instance.

I'll break down each of your bullets/questions first:

1. The client would like to have the ability to allow external users log into salesforce.com and click on a tab which will launch OBIEE.
   

• This is the simplest integration solution.  Basically in Salesforce.com (SFDC) you merely create a new tab with a reference to your organization's OBIEE instance, ex: http[s]://obi.mycompany.com/analytics
• The only draw back here is that unless your OBIEE instance is outside of the firewall (see next bullet answer) then your users will have to be on your network to have this functionality work correctly. So, this has a major limited result.

1. OBIEE sits within the organization's domain (and must remain within the domain). 

• This is usually the case unless you have your OBIEE instance hosted as hosted solution or you have the OBIEE instance in a DMZ or publicly facing.  Only a small percentage of OBIEE customers currently do this but it is an excellent solutionwhen you really think about it. Especially when you think about providing analytics to sales teams or the "field" users.  Usually hosting or extending the domain outside of the firewall depends on company needs and how forward thinking your company is, especially with respect to your IT team's level of comfort understanding security outside the firewall, etc.
• Also, remember that the term "domain" as you've used it is a relative term. I suggest getting clarification on whether your OBIEE instance publicly available domain vs. networked domain, etc. or if it can be pushed outside the firewall for this project if needed.

1. We understand that there is a need to configure OBIEE so it leverages HTTPS.

• For most successful integration attempts with OBIEE you'll want to use HTTPS. You'll want a SSL certificate from a Certificate Authoriy (CA) such as verisign, go daddy, etc. and not a self-signed SSL, especially if leveraging a public domain accessibility approach.
• This is a strict requirement from SFDC with OAuth and authentication federation but no so much with adding a simple tab pointing to your OBIEE instance.

Lastly you talk about "a token between SFDC and OBIEE".  Now you are opening a can of worms as you need to be more specific.  There are a lot of possibilities here that include SAML, OAuth, identity federation, and more. I've implemented all current SFDC approaches to security and integration with OBIEE at this point but your last statement simply needs more specifics explained for one to understand the end result you wish to have with the integration of which you speak.  If you'd like to list a full integration workflow for the user's interaction between SFDC and OBIEE, perhaps I could answer the question on this thread.

Cheers,

Christian

http://www.artofbi.com

[Ramke Ramakrishnan]

Sandy and Christian,

We have implemented OBIEE and SalesForce.com integration exactly as requested. One of the way to resolve is to install a Oracle HTTP server (or IIS Web Server) in the DMZ zone and configure OBIEE to that web server. OBIEE is installed inside the internal firewall. For the SSO integration, SAML is most popular for external users. Alternatively, you can also use WNA/Kerbersos authentication.

Thanks,
ramke

--
--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to
obiee-enterpri...@googlegroups.com
To unsubscribe from this group, send email to
obiee-enterprise-met...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).
 
---
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-met...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Mujahid Katlagal]

Ramke:
When you say "One of the way to resolve is to install a Oracle HTTP server (or IIS Web Server) in the DMZ zone and configure OBIEE to that web server."
What exactly of OBIEE is configured on ISS Webserver? We will also be having the same challenge in the near future.

Thanks
Mujahid Katlagal

On Monday, August 19, 2013 1:05:07 PM UTC-4, Sandy wrote:

[nge...@gmail.com]

Ramke,

Yes, you are right on the OHS/ISS in the DMZ.  I was definitely complicating the answer in that respect trying to get at the true end goal and trying to draw out some other details.

obiee-enterprise-methodology+unsub...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).
 
---
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-methodology+unsub...@googlegroups.com.

[Prakash Jhunjhunwala]

Hi Sandy,

I was involved at a client where we did similar setup for Salesforce.com and OBIEE integration. We had additional requirements to do data security based on the user.

Our approach was little convoluted due to multiple security providers (2 EBS instances and salesforce.com) .

1. Created a custom force page that contained the link to OBI ..with additional  parameters in url with salesforce.com session id , username and source parameters..
2. Through instanceconfig, we captured the url parameter and passed the same to BI server. This helped us identify that request came from salesforce.com
3. In BI Server, there were init blocks which fired different validation logic depending on the source connection (EBS or salesforce.com)
4. For salesforce.com connection, a pl/sql package was called that passed sessionid, username to BPEL service. That BPEL service validated the session id, user by communicating with salesforce.com and returned the custom fields that we used to populate application roles and enforce data security rules

This was done in 10g and we kept the same logic when we did the upgrade to 11g. I wouldn't recommend the above approach as it has a number of moving parts.. Ramke's suggestion of using SAML authentication is the way to go.

-Prakash

[Sandy]

Thanks everyone!  I don't know how I missed all these posts but didn't get any of them on my email.   I think we are taking Ramke's approach to the client to see if they are comfortable with it.  The big question they had was how to ensure the request was coming from salesforce such that the server can pass through so Prakash's point is a good one as well.  Thanks guys and I will update this thread once we nail down our solution with the client.   

[Matthew Turner]

Whilst on the subject of salesforce.com, KPI partners have pre-built analytics rather than re-inventing the wheel it may be worth taking a look at these. These guys have a history of building good quality analytics.

http://www.kpipartners.com/expertise/pre-built-solutions/salesforcecom-analytics-for-oracle-bi/

--

--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to
obiee-enterpri...@googlegroups.com
To unsubscribe from this group, send email to

obiee-enterprise-met...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).
 
---
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-met...@googlegroups.com.

[Girish]

That's interesting Matthew.

Looking at the KPI datasheet where it says "Key Salesforce.com information is exposed via Oracle’s pre-built Sales Analytics subject  areas."

I assume its an ETL solution exporting data using apex dataloader(or an Informatica SFDC connector) and then using the OBIA universal adapters to load data into the OBIA warehouse.

If my assumption is true, it would be interesting to know

- how CDC is managed and any gotchas in that area

- and how the solution works around the daily API limits on SFDC if the customer is not on an unlimited license?

Rgds

Girish Lakshmanan

--
Regards,
Girish Lakshmanan