saas implementation

SaaS identity and isolation with Amazon Cognito

Architecture and strategies for a robust SaaS identity and isolation model on AWS

This Quick Start implements a high availability solution for identity and isolation in multi-tenant software as a service (SaaS) environments, using Amazon Cognito as the identity provider.

The Quick Start provides a lightweight SaaS order management system that illustrates different aspects of identity and isolation, spanning the roles in a multi-tenant environment. The Quick Start deployment includes AWS services such as Amazon Cognito, AWS Lambda, Amazon API Gateway, and Amazon EC2 Container Service (Amazon ECS).

The AWS CloudFormation templates that automate the deployment are customizable. The deployment guide explains core SaaS identity and isolation concepts and implementation details, and includes step-by-step deployment and configuration instructions.


This Quick Start was developed by
AWS solutions architects.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • This Quick Start’s architecture includes a number of AWS services and constructs, to create a highly scalable, highly available SaaS identity and isolation solution that conforms to best practices for deploying a container-based application in a virtual private cloud (VPC) that spans two Availability Zones.

    The SaaS reference application client is deployed using Amazon Simple Storage Service (Amazon S3). All of the assets of this AngularJS application are deployed to, and served from, an S3 bucket. The deployed web application interacts with the application’s back-end services through RESTful calls that are routed through Amazon API Gateway, supplying tenant identity context with each call.

    API Gateway provides a natural way to expose your services in SaaS environments, allowing you to better meter and throttle access to your environment. It also supports a custom authorizer that can validate the system’s identity tokens on each attempt to access services. This authorizer is implemented as an AWS Lambda function that allows you to create custom authorization logic for requests as they flow though the gateway.

    Within the VPC, the architecture employs network address translation (NAT) gateways deployed in separate Availability Zones. These gateways, which are hosted in the VPC’s public subnets, provide high availability routing of traffic that flows from your private subnets to other AWS services or to the Internet.

    The core of the SaaS application’s services are hosted in the VPC’s private subnets. An Amazon ECS cluster hosts the containers that run the system’s microservices. Seven separate Node.js microservices are deployed in this cluster. This cluster also employs Auto Scaling for basic high availability. You can further tune this cluster to dynamically respond to changes in tenant load, scaling up and down based on demand. Each service applies the context of a tenant's identity to control and scope access to the system's resources.

    The reference application uses a variety of AWS services; for example:

    • Amazon DynamoDB tables are provisioned in a multi-tenant model for services that require storage.
    • AWS Identity and Access Management (IAM) manages and applies isolation polices and roles to prevent cross-tenant access.
    • Amazon Cognito serves as the identity provider, storing attributes that identify each tenant.
    • Amazon Simple Notification Service (Amazon SNS) publishes validation emails during the user registration process.

    The architecture also supports continuous deployment: It uses a combination of AWS CodePipeline, AWS CodeBuild, S3 buckets, and the Amazon EC2 Container Registry (Amazon ECR) to manage the build and deployment of new application features.

  •  How to deploy
  • To build your highly available SaaS identity and isolation environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at
    2. Launch the Quick Start. Each deployment takes about 2 hours and 15 minutes. You can choose from two options:
    3. Test the deployment by logging in to the website for the reference application and walking through the order management system.

    To customize your deployment, you can configure CIDR blocks and IP addresses, set up system administrator credentials, and configure your DynamoDB tables, as discussed in the Quick Start deployment guide.

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings may affect the cost of deployment. See the pricing pages for each AWS service you will be using for cost estimates.