Overview of the Session
The session provides an in-depth discussion on adding Federated identity support into multi-tenant SaaS environments. The key takeaways from the session are:
Standard SaaS Identity Patterns
- SaaS applications have an application plane and a control plane, with the control plane providing tenant onboarding and identity management capabilities.
- SaaS applications typically have a centralized identity provider (IdP) to manage tenant users and their identities, providing authentication and authorization.
- SaaS identity is represented using a token-based approach, such as JSON Web Tokens, which helps automate downstream communication.
Federated Identity in SaaS
- Tenants may want to use their own corporate IdPs for single sign-on, rather than creating user profiles in the SaaS IdP.
- SaaS providers need to support both standard identity workflows and Federated identity workflows to accommodate different tenant requirements.
- Federated identity introduces additional challenges, such as managing the asynchronous workflow, injecting tenant context for Federated users, and handling compliance and regulatory requirements.
Implementing Federated Identity with Amazon Cognito
- SaaS providers can use Amazon Cognito as the SaaS IdP and integrate with tenant corporate IdPs using protocols like OpenID Connect (OIDC) and SAML.
- Cognito supports the concept of Federated Identity Providers to manage the protocol-specific configurations for each tenant.
- SaaS providers can leverage Cognito's triggers (e.g., post-confirmation Lambda) to automatically inject tenant context for Federated users.
- Handling the dynamic resolution of Federated IdPs at runtime is a key challenge that can be addressed by passing additional parameters (e.g., IDP identifier) in the authorization request.
Considerations for Federated Identity in SaaS
- Ensure a seamless onboarding experience for tenants, even with the circular dependency between tenant configuration and SaaS provider configuration.
- Manage the coexistence of standard identity workflows and Federated identity workflows in the SaaS application.
- Consider regulatory and compliance requirements, such as data residency, when implementing Federated identity.
- Optimize for cost and quotas when using Federated identity.
- Automate the Federated identity onboarding and management process as much as possible.
Conclusion
- Federated identity can provide a better user experience for tenants, but it introduces additional complexity that SaaS providers need to manage.
- Leveraging features like Cognito triggers and dynamic IdP resolution can help SaaS providers overcome the challenges of implementing Federated identity.
- Continuous feedback and improvement of the Federated identity implementation is crucial for SaaS providers to deliver a seamless experience to their tenants.