SaaS adds all new dimensions to an application's identity and access model. Your identity architecture must now consider how it binds users to the tenants, creating the notion of a “SaaS Identity.” As part of this effort, SaaS architects must also introduce new strategies for flowing this identity through the services of your application and applying tenant content to the overall authorization model of your application. SaaS organizations also have options to employ a rich collection of AWS and APN Partner offerings that can help fill this void.
The Secret to SaaS (Hint: It's Identity)
Identity is a fundamental element of any SaaS environment. It must be woven into the fabric of your SaaS architecture and design, enabling you to authorize and scope access to your multi-tenant services, infrastructure, and data effectively. In this session, we pair with AWS partner Okta to examine how tenant identity is introduced into SaaS applications without undermining flexibility or developer productivity. The goal here is to highlight strategies that encapsulate tenant awareness and leverage the scale, security, and innovation enabled by AWS and its ecosystem of identity solutions. We dig into all the moving parts of the SaaS identity equation, showcasing the best practices and common considerations that will shape your approach to SaaS identity management.
Managing SaaS Users with Amazon Cognito
This blog post takes a look at the key capabilities of the Amazon Cognito Identity user pools feature. The goal is to touch on the main concepts and provide an introduction to some of the fundamental capabilities of this new feature.
Identity Federation and SSO for SaaS on AWS
In this blog post we explore some of the technologies and concepts behind single sign-on (SSO), linking third-party user identity to your applications (identity federation), and some of AWS products and partner solutions that can help with implementation.
Managing SaaS Identity Through Custom Attributes and Amazon Cognito
In this post, we will explore how to architect a multi-tenant system and identify tenant context and role using Amazon Cognito, which lets you easily add user sign-up and sign-in to your mobile and web apps. We'll first explain how to introduce tenant context into a multi-tenant application and then define custom attributes and claims. We'll also present a few design considerations and show you how to take advantage of custom attributes within a multi-tenant system.
SaaS Quick Start Highlights Identity and Isolation with Amazon Cognito
The SaaS Identity and Isolation with Amazon Cognito Quick Start equips developers with a full working solution that digs into the nuances of injecting tenant identity into SaaS applications. This Quick Start addresses a broad range of SaaS identity topics with specific emphasis on illustrating how tenant context is introduced via Amazon Cognito and used in combination with AWS Identity and Access Management (IAM) to scope access to tenant resources.
SaaS Identity and Isolation with Amazon Cognito AWS Quick Start
This Quick Start implements a high availability solution for identity and isolation in multi-tenant software as a service (SaaS) environments, using Amazon Cognito as the identity provider. The Quick Start provides a lightweight SaaS order management system that illustrates different aspects of identity and isolation, spanning the roles in a multi-tenant environment. The Quick Start deployment includes AWS services such as Amazon Cognito, AWS Lambda, Amazon API Gateway, and Amazon EC2 Container Service (Amazon ECS). The AWS CloudFormation templates that automate the deployment are customizable. The deployment guide explains core SaaS identity and isolation concepts and implementation details and includes step-by-step deployment and configuration instructions.
SaaS and OpenID Connect: The Secret Sauce of Multitenant Identity and Isolation
Identity is a foundational element of SaaS design, and getting it right can be challenging. You need a strategy that allows you to connect users to tenants, roles, and policies in a seamless model that doesn't handcuff developers. Fortunately, identity providers and OpenID Connect give us a model that equips SaaS providers with the tools they need to address all the moving parts of SaaS identity. In this session, we dive into the details of how you can use these solutions to build a robust identity solution—a solution that covers binding identities to tenants, supports tenant and system roles, and isolates tenant access. The goal here is to provide a concrete example of how to orchestrate all of these elements of the SaaS identity model on AWS.
AWS SaaS Factory Architecture Track: SaaS Identity and Onboarding
In this course, you will learn the end-to-end elements of the onboarding process and highlight key considerations of building a robust SaaS identity and onboarding experience, explore a specific approach that leverages OpenID Connect to embed tenant context into your system’s identity tokens, and examine how these tokens can be used to scope access to tenant resources. You will also explore the broader elements of onboarding, including billing relationships and the configuration and provisioning of the tenant environment.