AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
•
2 gefällt mir•1,403 views
Identity is a fundamental element of any SaaS environment. It must be woven into the fabric of your SaaS architecture and design, enabling you to authorize and scope access to your multi-tenant services, infrastructure, and data effectively. In this session, we pair with AWS partner Okta to examine how tenant identity is introduced into SaaS applications without undermining flexibility or developer productivity. The goal here is to highlight strategies that encapsulate tenant awareness and leverage the scale, security, and innovation enabled by AWS and its ecosystem of identity solutions. We dig into all the moving parts of the SaaS identity equation, showcasing the best practices and common considerations that will shape your approach to SaaS identity management.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
Ähnlich wie AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404) (20)
Mehr von Amazon Web Services
Mehr von Amazon Web Services (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tod Golding, AWS Partner Solutions Architect November 29, 2016 The Secret to SaaS (Hint: It’s Identity) Stephen Lee, Okta Director, Partner Solutions GPSSI404
- 2. Beyond the Front Door Injecting Tenant Context Security & Isolation Tenant Access Roles Tenant Provisioning
- 3. The Identity Landscape Tenant Identity Broker Multi-Factor AuthenticationApplication Single Sign-On Password Management Adaptive Access Additional identity services Identity Provider
- 4. First, We Need A Tenant New Tenant On-Boarding Tenant Identity Broker Identity Provider Tenant Management Billing • User: bob@test.com • TenantID: 491048735 • TenantID: 491048735 • Domain: abc.com • Tier: Platinum • Status: Active Domain Provisioning SSL Certificate IAM Policy
- 5. Managing Tenant Identity Policies Amazon Cognito User Pool (Tenant1) User Pool (Tenant2) Policies Tenant • Password policies • Validation policies • MFA policies Tenant Admin Console
- 6. Identities and Environments • Consider how identity is supported in non-production environments • Need a mechanism to automate provisioning of identities and roles • Automated testing should cover provisioning and scoping of access Production Integration QA Tenant On-Boarding Automation Identity Provisioning API
- 7. Adding SSO to On-Boarding SaaS Application Dashboard User
- 8. Key Tenant Provisioning Considerations • Find a seamless model for binding tenant to identities • Consider fault tolerance for 3P integrations • Need to factor in tenant lifecycle management • Allow for tenant level variation in identity policies • Let identity providers do the heavy lifting • Lean on automation and repeatability
- 9. Identity & Isolation: Many Levels, One Goal Full Stack Isolation Web Tier App Tier Tenant 1 Web Tier App Tier Tenant 2 Resource-Level Isolation Tenant 1 Tenant 2 Tenant 1 Tenant 2 Tenant 1 Tenant 2 Application-Level Isolation Tenant1 Tenant2 Tenant1 Tenant2 Tenant1 Tenant3 Key
- 10. IAM Policies Scope Tenant Access Web Tier App Tier Tenant1 Access Policy CustomerTable Tenant2 Access Policy T1-Bucket T2-Bucket
- 11. Binding Policies to Tenants Web Application Tenant Identity Broker Identity Provider AWS cloud • Identity resolved to STS token • Acquire token with tenant-scoped access • Leverage a temporary token • No need for separate AWS identity
- 12. Managing IAM Policies { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::test_bucket" } } Tenant IAM Policies Tenant Provisioning • Tenant-specific policy scopes access • Role is bound to identity provider “application” identifier and tenant policies • Secret sauce: AssumeRoleWithWebIdenity() Role for Identity Provider Access
- 13. Key Security & Isolation Considerations • Applying isolation may require a hybrid of AWS and application strategies • Avoid having separate IAM users for each tenant • Automate testing of isolation policies/strategy • Consider the scale, management, and automation impacts of managing access policies • Let IAM enforce your tenant level scoping
- 14. Where Do Roles Fit? System Admin Operations Support Role-Based Access Policy Sales SaaS Provider Roles Tenant Roles Marketing Tools Roles
- 15. Provisioning SaaS Provider Roles Federated Identity Provider • User: bob@test.com • Role: Admin • TenantID: None >sudo create-user Identity Broker SaaS Provider Admin Console User Provisioning Third-Party Tool • Supporting multi-tenant views of resources • New scopes and provisioning considerations • Custom user provisioning (no on-boarding flow)
- 16. Provisioning Tenant User Roles SaaS Application Sales Marketing SaaS User On-Boarding Application Roles • Tenant identity policies applied to application users • Application driven on-boarding experience
- 17. Creating IAM Roles and Policies System Admin IAM Policy "Version": "2012-10-17”, "Statement": { "Effect": "Allow", "Action": ”*", "Resource": "arn:aws:s3:::test_bucket” } "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": ” s3:ListBucket” "Resource": "arn:aws:s3:::test_bucket” } Support IAM Policy Role for Identity Provider Access Support Role >provision Role for Identity Provider Access System Admin Role
- 18. Key Roles Considerations • Roles are broader than tenants alone • Leverage federated identity for tool integration • Automate provisioning and management of system access policies • Require MFA authentication for all admin operations (CLI or console) • Avoid allowing tenants direct access to AWS resources
- 19. The Tenant Identity Bottleneck Cart Service Catalog Service Checkout Service Tenant Management ServiceUser SelectProduct LookupTenant TenantID AddToCart LookupTenant TenantID Checkout LookupTenant TenantID Now imagine you have 200 microservices
- 20. Bundling Tenant With Identity Identity Broker Token User Identity Tenant Identity User Identity + Tenant Identity = SaaS Identity Cart Service Catalog Service Checkout Service
- 21. OpenID Connect to the Rescue Tenant Access Control Homepage Access Control Catalog Service Access Control Cart Service TenantContext { UserID: “bob@abc.com” Role: “Admin”, TenantID: “93194942” } JWT Token Authorization: Bearer<JWT> Authorization: Bearer<JWT> Authorization: Bearer<JWT> Access Control Auth ServiceTenant Service 1
- 22. Key Tenant Context Considerations • Avoid crossing boundaries to resolve tenant context • Package tenant as a claim in your id tokens • Hide the details of un-packing the tenant from the token • User identity + Tenant identity = SaaS identity • Make SaaS identity a first class concept
- 23. DEMO
- 24. Let’s See It In Action Identity Provider AWS cloud
- 25. Lean On Third-Party Solutions BillingCore Features Metering AnalyticsMonitoring Administration Identity
- 26. Takeaways • SaaS identity is bigger than authentication • Leave the heavy lifting, risk, and innovation to someone else • Leverage identity broker pattern to decouple from identity providers • Don’t underestimate the value of SSO • Make policy automation and manageability a priority • Add tenant context to identity token to limit bottlenecks • If your identity solution is invasive, you’re doing it wrong
- 27. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Register for a Bootcamp Get in-depth knowledge and training from AWS Instructors and Solutions Architects. reinvent.awsevents.com/training #AWSTraining Get AWS Certified Onsite Demonstrate your technical proficiency and receive special recognition onsite. Register today. reinvent.awsevents.com/certification #AWSCertified Take Hands-on Labs Practice with AWS in a live environment. Choose from 100+ lab topics and attend a Spotlight Lab session. Free Onsite
- 28. Thank you!