Supporting federated identity in multi-tenant environments (SAS307)

Overview of the Session

The session provides an in-depth discussion on adding Federated identity support into multi-tenant SaaS environments. The key takeaways from the session are:

Standard SaaS Identity Patterns

  • SaaS applications have an application plane and a control plane, with the control plane providing tenant onboarding and identity management capabilities.
  • SaaS applications typically have a centralized identity provider (IdP) to manage tenant users and their identities, providing authentication and authorization.
  • SaaS identity is represented using a token-based approach, such as JSON Web Tokens, which helps automate downstream communication.

Federated Identity in SaaS

  • Tenants may want to use their own corporate IdPs for single sign-on, rather than creating user profiles in the SaaS IdP.
  • SaaS providers need to support both standard identity workflows and Federated identity workflows to accommodate different tenant requirements.
  • Federated identity introduces additional challenges, such as managing the asynchronous workflow, injecting tenant context for Federated users, and handling compliance and regulatory requirements.

Implementing Federated Identity with Amazon Cognito

  • SaaS providers can use Amazon Cognito as the SaaS IdP and integrate with tenant corporate IdPs using protocols like OpenID Connect (OIDC) and SAML.
  • Cognito supports the concept of Federated Identity Providers to manage the protocol-specific configurations for each tenant.
  • SaaS providers can leverage Cognito's triggers (e.g., post-confirmation Lambda) to automatically inject tenant context for Federated users.
  • Handling the dynamic resolution of Federated IdPs at runtime is a key challenge that can be addressed by passing additional parameters (e.g., IDP identifier) in the authorization request.

Considerations for Federated Identity in SaaS

  • Ensure a seamless onboarding experience for tenants, even with the circular dependency between tenant configuration and SaaS provider configuration.
  • Manage the coexistence of standard identity workflows and Federated identity workflows in the SaaS application.
  • Consider regulatory and compliance requirements, such as data residency, when implementing Federated identity.
  • Optimize for cost and quotas when using Federated identity.
  • Automate the Federated identity onboarding and management process as much as possible.

Conclusion

  • Federated identity can provide a better user experience for tenants, but it introduces additional complexity that SaaS providers need to manage.
  • Leveraging features like Cognito triggers and dynamic IdP resolution can help SaaS providers overcome the challenges of implementing Federated identity.
  • Continuous feedback and improvement of the Federated identity implementation is crucial for SaaS providers to deliver a seamless experience to their tenants.

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us