Identity is a fundamental element of any SaaS environment. It must be woven into the fabric of your SaaS architecture and design, enabling you to authorize and scope access to your multi-tenant services, infrastructure, and data effectively. In this session, we pair with AWS partner Okta to examine how tenant identity is introduced into SaaS applications without undermining flexibility or developer productivity. The goal here is to highlight strategies that encapsulate tenant awareness and leverage the scale, security, and innovation enabled by AWS and its ecosystem of identity solutions. We dig into all the moving parts of the SaaS identity equation, showcasing the best practices and common considerations that will shape your approach to SaaS identity management.
4. First, We Need A Tenant
New Tenant
On-Boarding
Tenant
Identity Broker
Identity
Provider
Tenant
Management
Billing
• User: bob@test.com
• TenantID: 491048735
• TenantID: 491048735
• Domain: abc.com
• Tier: Platinum
• Status: Active
Domain
Provisioning SSL
Certificate
IAM Policy
5. Managing Tenant Identity Policies
Amazon
Cognito
User Pool
(Tenant1)
User Pool
(Tenant2)
Policies
Tenant
• Password policies
• Validation policies
• MFA policies
Tenant Admin
Console
6. Identities and Environments
• Consider how identity is supported in non-production environments
• Need a mechanism to automate provisioning of identities and roles
• Automated testing should cover provisioning and scoping of access
Production
Integration
QA
Tenant
On-Boarding
Automation
Identity
Provisioning
API
7. Adding SSO to On-Boarding
SaaS Application Dashboard
User
8. Key Tenant Provisioning Considerations
• Find a seamless model for binding tenant to identities
• Consider fault tolerance for 3P integrations
• Need to factor in tenant lifecycle management
• Allow for tenant level variation in identity policies
• Let identity providers do the heavy lifting
• Lean on automation and repeatability
9. Identity & Isolation: Many Levels, One Goal
Full Stack
Isolation
Web Tier
App Tier
Tenant 1
Web Tier
App Tier
Tenant 2
Resource-Level
Isolation
Tenant 1 Tenant 2
Tenant 1 Tenant 2
Tenant 1 Tenant 2
Application-Level
Isolation
Tenant1
Tenant2
Tenant1
Tenant2
Tenant1
Tenant3
Key
10. IAM Policies Scope Tenant Access
Web Tier
App Tier
Tenant1 Access
Policy
CustomerTable
Tenant2 Access
Policy
T1-Bucket T2-Bucket
11. Binding Policies to Tenants
Web
Application
Tenant
Identity Broker
Identity
Provider
AWS cloud
• Identity resolved to STS token
• Acquire token with tenant-scoped access
• Leverage a temporary token
• No need for separate AWS identity
12. Managing IAM Policies
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test_bucket"
}
}
Tenant IAM Policies
Tenant
Provisioning
• Tenant-specific policy scopes access
• Role is bound to identity provider “application”
identifier and tenant policies
• Secret sauce: AssumeRoleWithWebIdenity()
Role for Identity
Provider Access
13. Key Security & Isolation Considerations
• Applying isolation may require a hybrid of AWS and
application strategies
• Avoid having separate IAM users for each tenant
• Automate testing of isolation policies/strategy
• Consider the scale, management, and automation
impacts of managing access policies
• Let IAM enforce your tenant level scoping
14. Where Do Roles Fit?
System
Admin
Operations
Support
Role-Based
Access Policy
Sales
SaaS Provider Roles
Tenant Roles
Marketing
Tools Roles
15. Provisioning SaaS Provider Roles
Federated Identity
Provider
• User: bob@test.com
• Role: Admin
• TenantID: None
>sudo create-user
Identity Broker
SaaS Provider
Admin Console
User Provisioning
Third-Party Tool
• Supporting multi-tenant views of resources
• New scopes and provisioning considerations
• Custom user provisioning (no on-boarding flow)
16. Provisioning Tenant User Roles
SaaS Application
Sales Marketing
SaaS User
On-Boarding
Application Roles
• Tenant identity policies applied to
application users
• Application driven on-boarding
experience
17. Creating IAM Roles and Policies
System Admin IAM Policy
"Version": "2012-10-17”,
"Statement": {
"Effect": "Allow",
"Action": ”*",
"Resource": "arn:aws:s3:::test_bucket”
}
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": ” s3:ListBucket”
"Resource": "arn:aws:s3:::test_bucket”
}
Support IAM Policy
Role for Identity
Provider Access
Support Role
>provision
Role for Identity
Provider Access
System Admin Role
18. Key Roles Considerations
• Roles are broader than tenants alone
• Leverage federated identity for tool integration
• Automate provisioning and management of system access
policies
• Require MFA authentication for all admin operations (CLI or
console)
• Avoid allowing tenants direct access to AWS resources
19. The Tenant Identity Bottleneck
Cart Service
Catalog
Service
Checkout
Service
Tenant
Management
ServiceUser
SelectProduct
LookupTenant
TenantID
AddToCart
LookupTenant
TenantID
Checkout
LookupTenant
TenantID
Now imagine you have 200 microservices
20. Bundling Tenant With Identity
Identity Broker
Token
User Identity
Tenant Identity
User Identity + Tenant Identity = SaaS Identity
Cart
Service
Catalog
Service
Checkout
Service
21. OpenID Connect to the Rescue
Tenant
Access Control
Homepage
Access Control
Catalog
Service
Access Control
Cart Service
TenantContext
{
UserID: “bob@abc.com”
Role: “Admin”,
TenantID: “93194942”
}
JWT Token
Authorization: Bearer<JWT>
Authorization: Bearer<JWT>
Authorization: Bearer<JWT>
Access Control
Auth ServiceTenant Service
1
22. Key Tenant Context Considerations
• Avoid crossing boundaries to resolve tenant context
• Package tenant as a claim in your id tokens
• Hide the details of un-packing the tenant from the token
• User identity + Tenant identity = SaaS identity
• Make SaaS identity a first class concept
24. Let’s See It In Action
Identity Provider
AWS cloud
25. Lean On Third-Party Solutions
BillingCore Features
Metering
AnalyticsMonitoring
Administration
Identity
26. Takeaways
• SaaS identity is bigger than authentication
• Leave the heavy lifting, risk, and innovation to someone
else
• Leverage identity broker pattern to decouple from identity
providers
• Don’t underestimate the value of SSO
• Make policy automation and manageability a priority
• Add tenant context to identity token to limit bottlenecks
• If your identity solution is invasive, you’re doing it wrong