Posted On: Oct 4, 2017
This Quick Start provides the fundamentals for implementing identity and isolation in multi-tenant software as a service (SaaS) environments, using Amazon Cognito as the underlying identity provider.
The Quick Start introduces core concepts and best practices that you can use in your own SaaS applications. It includes a lightweight SaaS order management system that illustrates different aspects of identity and isolation, spanning the system and tenant roles in a multi-tenant environment.
The Quick Start uses claims to represent attributes that associate tenant information with each user. These claims are packaged and transported in an encoded JSON Web Token (JWT), and include a standard set of attributes that are supported by the OpenID Connect (OIDC) protocol. In addition, the Quick Start supports custom attributes, which are conveyed as custom claims in the JWT returned by the authentication process. The custom attributes are provisioned and configured when each tenant is onboarded to the system.
The Quick Start architecture includes AWS services such as the following:
- Amazon Cognito, for user and identity management
- AWS Identity and Access Management (IAM), to manage isolation policies and roles
- AWS Lambda, to implement a custom authorizer for validating system tokens
- Amazon API Gateway, to provide access to the microservices that support the reference application
- Amazon EC2 Container Service (Amazon ECS), to host containers for running microservices
- Amazon Simple Storage Service (Amazon S3), to serve content for the reference application
- Amazon DynamoDB, to provide storage for microservices
The deployment and configuration tasks are automated by AWS CloudFormation templates that you can customize during launch. You can also use the templates as a starting point for your own implementation, by downloading them from the GitHub repository. The Quick Start includes a guide that explains core SaaS identity and isolation concepts and implementation details, and includes step-by-step deployment and configuration instructions.
To get started, use the following resources:
- Learn more about the SaaS identity and isolation architecture on AWS
- View the deployment guide
- Browse and launch other AWS Quick Start reference deployments
About Quick Starts
Quick Starts are automated reference deployments for key workloads on the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.