Identity is a foundational element of SaaS design, and getting it right can be challenging. You need a strategy that allows you to connect users to tenants, roles, and policies in a seamless model that doesn't handcuff developers. Fortunately, identity providers and OpenID Connect give us a model that equips SaaS providers with the tools they need to address all the moving parts of SaaS identity. In this session, we dive into the details of how you can use these solutions to build a robust identity solution—a solution that covers binding identities to tenants, supports tenant and system roles, and isolates tenant access. The goal here is to provide a concrete example of how to orchestrate all of these elements of the SaaS identity model on AWS.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
SaaS and OpenID Connect: The Secret Sauce Mul ti -
Tenant Id enti ty and Isol ati on
T o d G o l d i n g
P a r t n e r S o l u t i o n s A r c h i t e c t
S a a S T e c h L e a d
t o d g @ a m a z o n . c o m
G P S T E C 3 2 3
N o v e m b e r 2 7 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THE SAAS IDENTITY CHALLENGE
User Identity
Amazon Cognito
Tenant Identity
• Tenant ID
• Company Name
• Status
• Billing Tier
SaaS Identity
• SaaS Auth and Auth
• Implicit Isolation
• Applied Tenant Policies
• Embedded SaaS Context
A First-Class SaaS Token

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAAS IDENTITY WITH MICROSERVICES
Service
Service
Service
Service
Service
Service
Service
Service
Service
• Flowing identity through services
• Low latency resolution of tenant context
• Streamlined developer experience

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THE TRADITIONAL MODEL
Identity
Provider
Redirect
2
3
4
Application
Service
5
User Token
Application
Service
Web App
1
Tenant
Tenant
Management
Bottleneck
User  Tenant

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OIDC TO THE RESCUE
OpenID
Provider
Redirect
2
3
Access Token
ID Token
Application
Service
HTTP Header
Authorization: Bearer <Token>
Application
Service
HTTP Header
Authorization: Bearer <Token>
Web
App
1
Tenant
Tenant
Management

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EMBEDDING TENANT CONTEXT IN CLAIMS
Access Token
ID Token
{
"sub” : ”jane",
"email” : ”jane@test.com",
"email_verified” : true,
"name” : ”Jane Doe",
"given_name” : ”Jane",
"family_name” : ”Doe",
"phone_number” : ”(408) 555-1212",
"profile” : "https://test.com”
}
{
"iss” : "https://test.auth.com/",
"aud” : "https://test.com/v1/",
"sub” : "usr_123",
"scope” : "read write",
"iat” : 1458785796,
"exp” : 1458872196
}
JSON Web Token (JWT)
JSON Web Token (JWT)
Tenant
Identity Claims
• TenantID
• Status
• Tier
Add tenant attributes as
custom claims

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Signed TokenJWT Token
SECURING TOKENS
{
"sub” : ”jane",
"email” : ”jane@test.com",
"email_verified” : true,
"name” : ”Jane Doe",
"given_name” : ”Jane",
"family_name” : ”Doe",
"phone_number” : ”(408) 555-1212",
"profile” : "https://test.com”
}
Certificate
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ew
ogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wb
GUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiw
KICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2Ui
OiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMj
gxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.gg
W8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgd
qrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-
cwh3LOp146waJ8IhehcwL7F09JdijmBqkvPeB2T9
CJNqeGpegccMg4vfKjkM8FcGvnzZUN4_KSP0aAp
1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQ
ILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6
EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV
9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrL
l0nx7RkKU8NXNHq-rvKMzqg

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TENANT REGISTRATION WITH COGNITO
Create User Pool
• TenantID
• Role
• Tier
• Company
Create Federated Identity
• UserPoolID • AppID
Create User

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SUPPORTING TENANT LEVEL POLICIES
Multi-factor authentication
Email and phone number verification
SMS messaging
********** Password policies

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MULTIPLE PROVISIONING PATHS
System Admin
(ISV Owner/Super User)
Registration
Service
System
Provisioning
1
Tenant
Admin
Tenant
Onboarding
2
Tenant
Administration
3
Tenant
User
4

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TENANT AUTHENTICATION FLOW WITH COGNITO
Web
App
1
Tenant
Auth
Manager
2
User
Manager
3
• UserId: joe@abc.com
• UserPoolId: 10401
Amazon
Cognito
4
LookupUserPool(userId)
5
• A user can only be associated with a single tenant
• How would you support a single user with multiple tenants?

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THE CUSTOM CLAIMS CHALLENGE
Amazon
Cognito
Standard Claims
• given_name
• family_name
• middle_name
• gender
• Email
Custom Claims
• tenant_id
• role
• tier
• company_name
• status
Universal To Most Providers Requires access to claim
management/customization

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TOKEN VALIDATION WITH AMAZON API GATEWAY
API Gateway
Order
Service
Catalog
Service
Cart
Service
Access Token
Custom
Authorizer

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS LAMBDA VALIDATOR FUNCTION
verifiedJwt = nJwt.verify(event.authorizationToken, key);
// parse the ARN from the incoming event
// if the token is invalid, deny access immediately
…
policy = new AuthPolicy(verifiedJwt.body.sub, awsAccountId, apiOptions);
if (verifiedJwt.body.scope.indexOf("admins") > -1) {
policy.allowAllMethods();
} else {
policy.allowMethod(AuthPolicy.HttpVerb.GET, "*");
policy.allowMethod(AuthPolicy.HttpVerb.POST, "/users/" +
verifiedJwt.body.sub);
}
context.succeed(policy.build());

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SIMPLIFYING THE DEVELOPER EXPERIENCE
Web
AppClient
$rootScope.bearerToken = response.data.token;
var decodedToken =
jwtHelper.decodeToken($rootScope.bearerToken);
$rootScope.userDisplayName = decodedToken['given_name'] + ' '
+ decodedToken['family_name'];
$rootScope.userRole = decodedToken['custom:role'];
Application
Service
app.get('/order/:id', function(req, res) {
tokenManager.getCredentialsFromToken(req, function(credentials) {
var db = new DynamoDBHelper(orderSchema, credentials, config);
db.getItem(params, credentials, function (err, order)
}
}

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CENTRALIZED TOKEN MANAGEMENT
module.exports.getCredentialsFromToken = function(req, updateCredentials) {
var bearerToken = req.get('Authorization');
if (bearerToken) {
var tokenValue = bearerToken.substring(bearerToken.indexOf(' ') + 1);
var decodedIdToken = jwtDecode(tokenValue);
async.waterfall([
function(callback) {
getUserPoolWithParams(userName, callback)
},
function(userPool, callback) {
authenticateUserInPool(userPool, tokenValue, callback)
}
], function(error, results) {
if (!error)
updateCredentials(results)
});
}
};

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CONNECTING IDENTITY TO TENANT ISOLATION
Tenant1 Tenant2
S3 Bucket
S3 BucketDynamoDB
Table
DynamoDB
Table
SQS Queue

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SYSTEM USERS ADD ANOTHER WRINKLE
Tenant-1
User
Tenant-1
User
Tenant-1
User
Tenant-2
User
Tenant-2
User
Tenant-2
User
Tenant-1
Admin
Tenant-2
Admin
System
Admin
System
Ops
System
Support
System users have
access to all tenant
resources

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PROVISIONING AWS IAM POLICES FOR TENANT ROLES
Registration
Create
Identity
Tenant
Admin
Role
Tenant
Order
Manager
Role
Tenant
Catalog
Manager
Role
Provision IAM roles/policies for each
system and tenant role
System
Registration
Tenant Registration System
Admin
Role
System
Ops
Role
System
Support
Role

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SCOPING POLICIES BY TENANT
{
"Sid": "TenantReadOnlyOrderTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:7000001000000:table/Order"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"5bd24c40d66c4755819d28ceab9f0826"
]
}
}
}

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
RESOLVING CREDENTIALS WITH AMAZON COGNITO
Access Token
Web
App
1
3
OpenID
Provider
Redirect
2
ID Token
Tenant
4
5
App ServiceGet Orders
Amazon
Cognito
Get Creds
for Role
Scoped
Creds6 7

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MAPPING ROLES WITH ASSUME ROLE
Access Token
Web
App
1
3
OpenID
Provider
Redirect
2
ID Token
Tenant
4
6
STS Token
5
AWS
STS
Service
AssumeRoleWithWebIdentity()

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
POLICY STRATEGIES VARY
DynamoDB
RDS Amazon
Redshift
SQS
• Each AWS resource may require a unique strategy for injecting
tenant context into its IAM policy
• The model you pick for tenant (silo, bridge, pool) will influence
your policy scheme
Siloed Model Pool Model
Tenant TenantTenant
Tenant
Tenant Tenant
Tenant

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MAKING IDENTITY AN EARLY PRIORITY
Order
Management
CatalogCart Auth Manager
Tenant
API Gateway
DynamoDB RDS Amazon
Redshift
Amazon
Cognito
Tenant identity
shapes multi-tenant
design at every layer
of your architecture

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
LEVERAGING PARTNER SOLUTIONS
Redirect
2
3
Access Token
ID Token
Web
App
1
Tenant
• Wide adoption of OIDC
• Varying approaches to tenant mapping
• Consider support for custom claims
• Must accommodate AssumeRole() flow
4 AWS
STS
Service
AssumeRoleWithWebIdentity()

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TAKEAWAYS
• Need a model that treats SaaS identity as a first-class construct
• Piggyback on claims to introduce your SaaS custom attributes
• Leveraging custom claims may impact your provider portability
• Hide the details of authorization from developers
• Consider the needs of both tenant AND system users
• Identity directly influences your isolation scheme
• SaaS should always start with identity

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
RE-THINKING YOUR IDENTITY SCHEME
• How are you connecting user identity to tenants today?
• How does tenant context flow through your application
services?
• Is your model efficient for the system and developers?
• How is access being validated on each request?
• What are you doing to limit cross-tenant access?

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ADDITIONAL RESOURCES
SaaS Quick Starts
• SaaS Identity and Isolation with Amazon Cognito
re:INVENT sessions
• Tenant Health in a Multi-Tenant Environment Featuring New Relic
(GPSTEC309)
• Deconstructing SaaS: A Deep Dive into Building Multi-tenant Solutions
on AWS (ARC407)

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!