aws re:invent 2016: the secret to saas (hint: it's identity) (gpssi404)
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tod Golding, AWS
Partner Solutions Architect
November 29, 2016
The Secret to SaaS
(Hint: It’s Identity)
Stephen Lee, Okta
Director, Partner Solutions
GPSSI404
Beyond the Front Door
Injecting Tenant
Context
Security &
Isolation
Tenant
Access
RolesTenant
Provisioning
The Identity Landscape
Tenant
Identity
Broker
Multi-Factor
AuthenticationApplication
Single Sign-OnPassword
ManagementAdaptive Access
Additional identity services
Identity
Provider
First, We Need A Tenant
New Tenant
On-BoardingTenant
Identity BrokerIdentity
Provider
Tenant
ManagementBilling
• User: [email protected]
• TenantID: 491048735
• TenantID: 491048735
• Domain: abc.com
• Tier: Platinum
• Status: Active
Domain
ProvisioningSSL
Certificate
IAM Policy
Managing Tenant Identity Policies
Amazon
Cognito
User Pool
(Tenant1)
User Pool
(Tenant2)
Policies
Tenant
• Password policies
• Validation policies
• MFA policies
Tenant Admin
Console
Identities and Environments
• Consider how identity is supported in non-production environments
• Need a mechanism to automate provisioning of identities and roles
• Automated testing should cover provisioning and scoping of access
Production
Integration
QA
Tenant
On-Boarding
Automation
Identity
Provisioning
API
Key Tenant Provisioning Considerations
• Find a seamless model for binding tenant to identities
• Consider fault tolerance for 3P integrations
• Need to factor in tenant lifecycle management
• Allow for tenant level variation in identity policies
• Let identity providers do the heavy lifting
• Lean on automation and repeatability
Identity & Isolation: Many Levels, One Goal
Full Stack
Isolation
Web Tier
App Tier
Tenant 1
Web Tier
App Tier
Tenant 2
Resource-Level
Isolation
Tenant 1 Tenant 2
Tenant 1 Tenant 2
Tenant 1 Tenant 2
Application-Level
Isolation
Tenant1
Tenant2
Tenant1
Tenant2
Tenant1
Tenant3
Key
IAM Policies Scope Tenant Access
Web Tier
App Tier
Tenant1 Access
Policy
CustomerTable
Tenant2 Access
Policy
T1-Bucket T2-Bucket
Binding Policies to Tenants
Web
Application
Tenant
Identity BrokerIdentity
Provider
AWS cloud
• Identity resolved to STS token
• Acquire token with tenant-scoped access
• Leverage a temporary token
• No need for separate AWS identity
Managing IAM Policies
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test_bucket"
}
}
Tenant IAM Policies
Tenant
Provisioning
• Tenant-specific policy scopes access
• Role is bound to identity provider “application”
identifier and tenant policies
• Secret sauce: AssumeRoleWithWebIdenity()
Role for Identity
Provider Access
Key Security & Isolation Considerations
• Applying isolation may require a hybrid of AWS and
application strategies
• Avoid having separate IAM users for each tenant
• Automate testing of isolation policies/strategy
• Consider the scale, management, and automation
impacts of managing access policies
• Let IAM enforce your tenant level scoping
Where Do Roles Fit?
System
Admin
Operations
Support
Role-Based
Access Policy
Sales
SaaS Provider Roles
Tenant Roles
Marketing
Tools Roles
Provisioning SaaS Provider Roles
Federated Identity
Provider
• User: [email protected]
• Role: Admin
• TenantID: None
>sudo create-user
Identity BrokerSaaS Provider
Admin Console
User Provisioning
Third-Party Tool• Supporting multi-tenant views of resources
• New scopes and provisioning considerations
• Custom user provisioning (no on-boarding flow)
Provisioning Tenant User Roles
SaaS Application
Sales Marketing
SaaS User
On-Boarding
Application Roles
• Tenant identity policies applied to
application users
• Application driven on-boarding
experience
Creating IAM Roles and Policies
System Admin IAM Policy
"Version": "2012-10-17”,
"Statement": {
"Effect": "Allow",
"Action": ”*",
"Resource": "arn:aws:s3:::test_bucket”
}
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": ” s3:ListBucket”
"Resource": "arn:aws:s3:::test_bucket”
}
Support IAM Policy
Role for Identity
Provider Access
Support Role
>provision
Role for Identity
Provider Access
System Admin Role
Key Roles Considerations
• Roles are broader than tenants alone
• Leverage federated identity for tool integration
• Automate provisioning and management of system access
policies
• Require MFA authentication for all admin operations (CLI or
console)
• Avoid allowing tenants direct access to AWS resources
The Tenant Identity Bottleneck
Cart ServiceCatalog
Service
Checkout
Service
Tenant
Management
ServiceUserSelectProduct
LookupTenant
TenantID
AddToCartLookupTenant
TenantID
CheckoutLookupTenant
TenantID
Now imagine you have 200 microservices
Bundling Tenant With Identity
Identity Broker
Token
User Identity
Tenant Identity
User Identity + Tenant Identity = SaaS Identity
Cart
Service
Catalog
Service
Checkout
Service
OpenID Connect to the Rescue
Tenant
Access Control
Homepage
Access Control
Catalog
Service
Access Control
Cart Service
Tenant
Conte
xt
{
UserID: “[email protected]”
Role: “Admin”,
TenantID: “93194942”
}
JWT Token
Authorization: Bearer<JWT>
Authorization: Bearer<JWT>
Authorization: Bearer<JWT>
Access Control
Auth ServiceTenant Service
1
Key Tenant Context Considerations
• Avoid crossing boundaries to resolve tenant context
• Package tenant as a claim in your id tokens
• Hide the details of un-packing the tenant from the token
• User identity + Tenant identity = SaaS identity
• Make SaaS identity a first class concept
Lean On Third-Party Solutions
BillingCore Features
Metering
AnalyticsMonitoring
Administration
Identity
Takeaways
• SaaS identity is bigger than authentication
• Leave the heavy lifting, risk, and innovation to someone
else
• Leverage identity broker pattern to decouple from identity
providers
• Don’t underestimate the value of SSO
• Make policy automation and manageability a priority
• Add tenant context to identity token to limit bottlenecks
• If your identity solution is invasive, you’re doing it wrong
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Register for a Bootcamp
Get in-depth knowledge and
training from AWS Instructors and
Solutions Architects.
reinvent.awsevents.com/training
#AWSTraining
Get AWS Certified Onsite
Demonstrate your technical
proficiency and receive special
recognition onsite. Register today.
reinvent.awsevents.com/certification
#AWSCertified
Take Hands-on Labs
Practice with AWS in a live
environment. Choose from 100+
lab topics and attend a Spotlight
Lab session.
Free Onsite