© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tod Golding, AWS

Partner Solutions Architect

November 29, 2016

The Secret to SaaS

(Hint: It’s Identity)

Stephen Lee, Okta

Director, Partner Solutions

GPSSI404

Beyond the Front Door

Injecting Tenant

Context

Security &

Isolation

Tenant

Access

RolesTenant

Provisioning

The Identity Landscape

Tenant

Identity

Broker

Multi-Factor

AuthenticationApplication

Single Sign-OnPassword

ManagementAdaptive Access

Additional identity services

Identity

Provider

First, We Need A Tenant

New Tenant

On-BoardingTenant

Identity BrokerIdentity

Provider

Tenant

ManagementBilling

• User: bob@test.com

• TenantID: 491048735

• TenantID: 491048735

• Domain: abc.com

• Tier: Platinum

• Status: Active

Domain

ProvisioningSSL

Certificate

IAM Policy

Managing Tenant Identity Policies

Amazon

Cognito

User Pool

(Tenant1)

User Pool

(Tenant2)

Policies

Tenant

• Password policies

• Validation policies

• MFA policies

Tenant Admin

Console

Identities and Environments

• Consider how identity is supported in non-production environments

• Need a mechanism to automate provisioning of identities and roles

• Automated testing should cover provisioning and scoping of access

Production

Integration

QA

Tenant

On-Boarding

Automation

Identity

Provisioning

API

Adding SSO to On-Boarding

SaaS Application Dashboard

User

Key Tenant Provisioning Considerations

• Find a seamless model for binding tenant to identities

• Consider fault tolerance for 3P integrations

• Need to factor in tenant lifecycle management

• Allow for tenant level variation in identity policies

• Let identity providers do the heavy lifting

• Lean on automation and repeatability

Identity & Isolation: Many Levels, One Goal

Full Stack

Isolation

Web Tier

App Tier

Tenant 1

Web Tier

App Tier

Tenant 2

Resource-Level

Isolation

Tenant 1 Tenant 2

Tenant 1 Tenant 2

Tenant 1 Tenant 2

Application-Level

Isolation

Tenant1

Tenant2

Tenant1

Tenant2

Tenant1

Tenant3

Key

IAM Policies Scope Tenant Access

Web Tier

App Tier

Tenant1 Access

Policy

CustomerTable

Tenant2 Access

Policy

T1-Bucket T2-Bucket

Binding Policies to Tenants

Web

Application

Tenant

Identity BrokerIdentity

Provider

AWS cloud

• Identity resolved to STS token

• Acquire token with tenant-scoped access

• Leverage a temporary token

• No need for separate AWS identity

Managing IAM Policies

{

"Version": "2012-10-17",

"Statement": {

"Effect": "Allow",

"Action": "s3:ListBucket",

"Resource": "arn:aws:s3:::test_bucket"

}

}

Tenant IAM Policies

Tenant

Provisioning

• Tenant-specific policy scopes access

• Role is bound to identity provider “application”

identifier and tenant policies

• Secret sauce: AssumeRoleWithWebIdenity()

Role for Identity

Provider Access

Key Security & Isolation Considerations

• Applying isolation may require a hybrid of AWS and

application strategies

• Avoid having separate IAM users for each tenant

• Automate testing of isolation policies/strategy

• Consider the scale, management, and automation

impacts of managing access policies

• Let IAM enforce your tenant level scoping

Where Do Roles Fit?

System

Admin

Operations

Support

Role-Based

Access Policy

Sales

SaaS Provider Roles

Tenant Roles

Marketing

Tools Roles

Provisioning SaaS Provider Roles

Federated Identity

Provider

• User: bob@test.com

• Role: Admin

• TenantID: None

>sudo create-user

Identity BrokerSaaS Provider

Admin Console

User Provisioning

Third-Party Tool• Supporting multi-tenant views of resources

• New scopes and provisioning considerations

• Custom user provisioning (no on-boarding flow)

Provisioning Tenant User Roles

SaaS Application

Sales Marketing

SaaS User

On-Boarding

Application Roles

• Tenant identity policies applied to

application users

• Application driven on-boarding

experience

Creating IAM Roles and Policies

System Admin IAM Policy

"Version": "2012-10-17”,

"Statement": {

"Effect": "Allow",

"Action": ”*",

"Resource": "arn:aws:s3:::test_bucket”

}

"Version": "2012-10-17",

"Statement": {

"Effect": "Allow",

"Action": ” s3:ListBucket”

"Resource": "arn:aws:s3:::test_bucket”

}

Support IAM Policy

Role for Identity

Provider Access

Support Role

>provision

Role for Identity

Provider Access

System Admin Role

Key Roles Considerations

• Roles are broader than tenants alone

• Leverage federated identity for tool integration

• Automate provisioning and management of system access

policies

• Require MFA authentication for all admin operations (CLI or

console)

• Avoid allowing tenants direct access to AWS resources

The Tenant Identity Bottleneck

Cart ServiceCatalog

Service

Checkout

Service

Tenant

Management

ServiceUserSelectProduct

LookupTenant

TenantID

AddToCartLookupTenant

TenantID

CheckoutLookupTenant

TenantID

Now imagine you have 200 microservices

Bundling Tenant With Identity

Identity Broker

Token

User Identity

Tenant Identity

User Identity + Tenant Identity = SaaS Identity

Cart

Service

Catalog

Service

Checkout

Service

OpenID Connect to the Rescue

Tenant

Access Control

Homepage

Access Control

Catalog

Service

Access Control

Cart Service

Tenant

Conte

xt

{

UserID: “bob@abc.com”

Role: “Admin”,

TenantID: “93194942”

}

JWT Token

Authorization: Bearer<JWT>

Authorization: Bearer<JWT>

Authorization: Bearer<JWT>

Access Control

Auth ServiceTenant Service

1

Key Tenant Context Considerations

• Avoid crossing boundaries to resolve tenant context

• Package tenant as a claim in your id tokens

• Hide the details of un-packing the tenant from the token

• User identity + Tenant identity = SaaS identity

• Make SaaS identity a first class concept

DEMO

Let’s See It In Action

Identity Provider

AWS cloud

Lean On Third-Party Solutions

BillingCore Features

Metering

AnalyticsMonitoring

Administration

Identity

Takeaways

• SaaS identity is bigger than authentication

• Leave the heavy lifting, risk, and innovation to someone

else

• Leverage identity broker pattern to decouple from identity

providers

• Don’t underestimate the value of SSO

• Make policy automation and manageability a priority

• Add tenant context to identity token to limit bottlenecks

• If your identity solution is invasive, you’re doing it wrong

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Register for a Bootcamp

Get in-depth knowledge and

training from AWS Instructors and

Solutions Architects.

reinvent.awsevents.com/training

#AWSTraining

Get AWS Certified Onsite

Demonstrate your technical

proficiency and receive special

recognition onsite. Register today.

reinvent.awsevents.com/certification

#AWSCertified

Take Hands-on Labs

Practice with AWS in a live

environment. Choose from 100+

lab topics and attend a Spotlight

Lab session.

Free Onsite

Thank you!