This week, when I was picking up my kids at school, I ran into one of the nVision developers who used to work for me (who's still working at Oracle). She's working on taking nVision to Fusion, which will use the Siebel Analytics platform.
When I first remembered that Oracle's acquisition of Siebel included Siebel Analytics, I told my co-workers that if Oracle was smart, they'd use that as the replacement for nVision (and metric calculations in EPM).
So, Why is it a good thing?
Believe it or not, we at PeopleSoft evaluated Siebel Analytics (although under a different name) to be the infrastructure for the next generation of nVision. At the time, it was a small company called nQuire. We put together a bunch of things we wanted them to prove they could do within a week against multiple PeopleSoft systems. At the time, Chris Heller and myself had a lot of discussions about the product's claimed capabilities... his quote was "Either they're crazy or they're geniuses". We found out that they were geniuses.
Unfortunately for PeopleSoft, Siebel beat us to the punch and acquired nQuire and re-branded the product. Now that Oracle has acquired both Siebel and PeopleSoft, it looks like that original vision may be realized for PeopleSoft customers.
So, what is Siebel Analytics?
Siebel Analytics is most of the functionality we planned to provide in reporting in PeopleTools 9.
In the published PeopleTools 9 plans, we had different names for the same functionality
Mark Rittman has some good images on his weblog (which is a must-read for anybody wanting to understand what's going on with Oracle and BI) that shows screenshots for building and managing the data abstraction layer and for building queries or reports.
Data Abstraction Layer
The data abstraction layer looks exactly as it did when we reviewed the product.
The far right pane contains the list physical objects that are the sources of data and metadata. These can be tables or files (and I'm assuming XML sources now). You can think of these as record definitions in PeopleSoft.
The middle pane allows you to map the physical objects to objects that have a more meaningful business names and structures. They abstract away joins and unions and other physical attributes you don't want to present. (a good example we had them prove in the PeopleSoft evaluation was that you could have a single representation for sales, where under the covers you were getting historical sales from a data warehouse and current sales from the CRM system). These are related to Data Objects in the PeopleTools 9 feature list.
The left pane contains the presentation layer for how you would want to present these objects to business analysts. For example, you might want to have different versions of an order, depending on the vertical you're using (where fields specific to a vertical are displayed and not others, and where the terminology presented to the user is targeted to that user type). In other words, you might have a different presentation object for Universities and Commercial in CRM, where in a university a customer is displayed as a contributor and in commercial, they're displayed as customer. These are related to Data Views in the PeopleTools 9 feature list.
Reporting
Siebel analytics provides a drag-and-drop interface for building reports in the browser using these objects. Although I believe that there is some opportunity for making the user interface more targeted to business analysts, they've done the big, hairy effort to pull together crosstab and tabular reporting into a single reporting tool. Here's another screenshot from Mark Rittman's weblog that shows some of the user interface.
As you can see, you have the objects from the presentation layer in the left pane, and you have the ability to lay them out in a report.
Good question. Here are the major tasks I see that need to be done to get nVision using this platform:
Conclusion
Hopefully this makes most PeopleSoft customers more comfortable with the future of things. I've already known or suspected much of this information earlier, but was waiting for Oracle to provide enough information publicly for me to safely write this entry.
Labels: Fusion, nVision, Performance
© 2011 Grey Heller Solutions.
All rights reserved.
How are you actually accessing the headers in PeopleCode? Do any of the headers sent by the browser actually show up?
Thank you so much for getting back to me on this. The flow is as follows:
User requests http://server:port/psp/instancename/EMPLOYEE/HRMS/h/?tab=DEFAULT
from an external link. Apache intercepts the request inserts the custom Shibboleth headers and redirects to the ps url (GET request). My signon PeopleCode fires and the headers are not present. I am then redirected to the login screen with a message stating "incorrect userid or password". If I simply request the url again my PeopleCode finds the headers and logs me into the correct page within PeopleSoft.
I wrote a test servlet that simply dumps the headers and installed it on the PIA server. When I access the test servlet it finds and prints the headers. I am therefore confident that the headers are being injected properly.
I am attempting to implement this on PeopleTools 8.48.03 (Oracle Application Server on Redhat Linux).
I have not configured guest signon within the WEB_PROFILE. Should I simply be able to submit a get request (with custom headers) to a page in PeopleSoft and read the headers within signon Pcode? Do I need to implement guest access to bypass the signon process?
I have written the following Pcode to simply access the header info:
&requestParams = %Request.GetParameterNames();
&requestHeaders = %Request.GetHeaderNames();
Upon first request to the url the request object does not contain my custom header information. I am interrogating the request object with the PeopleSoft debugger.
I appreciate any help you are willing to provide.
So for your scenario you need to setup a public access account (it can be something with no access) and then sign the person on appropriately from the headers inside your signon peoplecode.
If you're planning on going to the Alliance conference, come find me and we can chat more about the other issues that you may encounter along the way.
Thanks again for your assistance. Unfortunately I will be unable to attend the Alliance Conference this year. I will setup a public access account and give it another try.
Will I simply need to read the headers and Authenticate the user? Once I setup public access are there many issues I will need to address?
Thanks Chris.
Thanks to your help I resolved my issue. I truly appreciate your help on this.
Thanks
Thanks for this article. It really helped to solidify in my mind how we should approach SSO. Thanks!
Thanks for the excellent post. I'm fumbling my way through setting up IIS as a reverse proxy with the goal of using NTLM authentication for "desktop signon" and have gotten a little stuck. I'm not sure how to parse the header that IIS is adding to the request. I've tried using the &requestParams stuff that Goodie mentioned in a previous post, but it seems my debugger session doesn't really start catching code until the signon is complete. I'm trying to interrogate the header before that occurs -- in my custom signon PeopleCode.. Any ideas?
I think I've figured out my problem from yesterday -- have been looking at the headers from another random PCode event post-signon. Sorry to have bothered you ... but would like to reserve the right to do so again should I get stuck :-)
Glenn
glenn.merberg@quadrint.com
You'll want to check PeopleBooks for information about the Request object in PeopleCode.
Also any security feature built around while passing remote_user? because anybody can send the request thru lwp agent etc., if he knows the user id who has entitlements.
We have setup the public access account and have PeopleCode working to read headers that are injected by Shibboleth. Everything works 95% of the time, but periodically we receive the error Invalid UserID and Password in our logs. How could this be? Could PeopleSoft be reading from cookies on the browser and trying to log the user in via PS single sign on? Any help would be greatly appreciated.
There are a few different things that we've seen and had to add code to get around. One is that IE sometimes does some weird things with caching old sessions, so even though you think that you're logging someone in for a new session, the old session gets used. We just detect when this happens and force another login attempt (but we do it silently so the user does not realize that this has happened).
We're doing a session at OpenWorld on debugging these sorts of things. If you're there, be sure to come by and check it out.
@Amar, sorry for the delayed response. I didn't your extra comment until Tomcat's was posted.
Anyways, yes, you can send along the REMOTE_USER information in an HTTP header, but as you mention (and we pointed out in the original blog post) this is extremely insecure because there is no validation from the PeopleSoft side that it wasn't spoofed.
We've shown a few different people how easy it is to add extra HTTP headers in a request to PeopleSoft (or any web app for that matter), and they're generally surprised by just how easy it is.
So, you definitely can't just trust having an IIS proxy in front of Peoplesoft without doing some more work to ensure that someone can't just log themselves in as whoever they want.
I'm trying to implement the SSO with JCIFS.
I'm trying to read the "Authorization" Header (that contains NTLM string)in the PeopleCode, but it only appears in the first HTTP GET of the request.
so from my signon peoplecode point of view, this parameter does not exists.
is there any way to make this parmeter more persistent ? or to read the Windows ID somewhere else ?
Regards
I would like to implement the single sign on into PeopleSoft application using the desktop windows login. COuld you please provide me a detaileds steps to implement it.It would be of great help to proceed with implementing it.
Thanks
Ravi
I log in to a website using an id and password. After logging in to the website, there is a link for Peoplesoft page. When I click on the link, It redirects to the peoplesoft page without asking the login credentials. What I would like to know is that how the credentials which I give in the website gets passed to our Peoplesoft and what kind of authentication methods are processed?
Thanks for the blog, it helped. I am trying to implement desktop SSO for peoplesoft using Web Server level authentication. But I am not able to figure out how would you allow the support team to login with a different account like say psadmin account.
I believe we change the cmd=login to cmd=start in signon.html and need to replace this in all the html files used in the web profile.
Kindly help as I have reached a deadend...
Regards,
Samy
I'm not sure why you are changing the signon.html page though.
I've riched peoplesoft homepage but when I want to enter any page or click on any button the user automatically signout.
When I look in psadmin I can see that all users are signin with Public user...
And actually, in webserv log, I found two 'delete cookies' lines for each time a users is autoatically signout.
Have you any ideas on this?
Thanks.
We are using the Single sign on in our system.When ever a user is trying to login to the system, he is getting the mesaage that "Domain is not included in the list of domains". I just want to change the error message users are getting.
If you can guide me where can I do the changes.That will be really helpful.
Thanks and Regards
Amit