AWS Partner Network (APN) Blog

SaaS Quick Start Highlights Identity and Isolation with Amazon Cognito

Identity is not a new concept. There’s a large list of useful tools and technologies that effectively address the authentication and authorization needs of applications. However, for software as a service (SaaS) providers, the identity universe becomes a bit more complicated. SaaS extends the notion of identity, adding new kinds of roles and access considerations that shape and influence the fabric of your SaaS solutions.

The SaaS Identity and Isolation with Amazon Cognito Quick Start, which was recently published, equips developers with a full working solution that digs into the nuances of injecting tenant identity into SaaS applications. This Quick Start addresses a broad range of SaaS identity topics with specific emphasis on illustrating how tenant context is introduced via Amazon Cognito and used in combination with AWS Identity and Access Management (IAM) to scope access to tenant resources.

A key goal of this Quick Start is to create a model where user and tenant identity are merged into a unified model that flows seamlessly through your application’s architecture. The following diagram highlights the conceptual model underlying the Quick Start architecture.

 

The Quick Start introduces a model where, through Amazon Cognito, a user’s identity is bound to a tenant’s identity to create the notion of a SaaS identity. This SaaS identity is then treated as a first-class construct, and delivers all the context that is needed to represent both the user and any tenant attributes that may be needed to control and scope that user’s experience.

This is realized in a reference application that orchestrates all the moving parts associated with building a multi-tenant SaaS environment on AWS. This application was developed with an AngularJS client and a series of Node.js microservices to simulate the workflows of a simplified order management system. The goal was to provide a reference application that illustrates how identity influences all the different dimensions of your SaaS environment. Some of the key capabilities of this solution include:

  • Reduced tenant on-boarding and tenant activation friction
  • Provisioning of tenant-specific IAM roles and policies
  • Support for multiple user roles, including both system and tenant roles
  • Ability to manage system and tenant users
  • Tenant-scoped access to application infrastructure, including database access operations.
  • Use of JSON Web Tokens (JWT) to flow SaaS identity (and scoping) into each application microservice
  • Use of Amazon API Gateway and custom authorizers to scope and control access to application microservices
  • Illustration of identity in a pooled multi-tenant model where tenants share infrastructure

The application’s infrastructure includes a number of AWS services and constructs to create a highly scalable, highly available SaaS identity and isolation solution that conforms to best practices for deploying a container-based application in a virtual private cloud (VPC) that spans two Availability Zones. The following diagram provides a view of the environment that is provisioned by the Quick Start:

 

The Quick Start also includes a detailed guide that digs into the conceptual and architectural elements of the application. The guide outlines the steps associated with deploying and running the complete solution. Exploring this document will give you a better sense of the nature of the solution and the complexities of implementing a robust identity and isolation model in a SaaS environment.

This solution represents one of multiple options for addressing SaaS identity, and should provide a good foundation of concepts and implementation considerations that can accelerate your efforts to introduce identity into your SaaS environment. It also provides detailed insights into some of the fundamental mechanisms that you can use to improve the security of your SaaS environment without further complicating the developer experience.

For more information about the SaaS Identity and Isolation with Amazon Cognito Quick Start, see the data sheet and source repository.