Supporting federated identity in multi-tenant environments (SAS307)

Overview of the Session

The session provides an in-depth discussion on adding Federated identity support into multi-tenant SaaS environments. The key takeaways from the session are:

Standard SaaS Identity Patterns

• SaaS applications have an application plane and a control plane, with the control plane providing tenant onboarding and identity management capabilities.
• SaaS applications typically have a centralized identity provider (IdP) to manage tenant users and their identities, providing authentication and authorization.
• SaaS identity is represented using a token-based approach, such as JSON Web Tokens, which helps automate downstream communication.

Federated Identity in SaaS

• Tenants may want to use their own corporate IdPs for single sign-on, rather than creating user profiles in the SaaS IdP.
• SaaS providers need to support both standard identity workflows and Federated identity workflows to accommodate different tenant requirements.
• Federated identity introduces additional challenges, such as managing the asynchronous workflow, injecting tenant context for Federated users, and handling compliance and regulatory requirements.

Implementing Federated Identity with Amazon Cognito

• SaaS providers can use Amazon Cognito as the SaaS IdP and integrate with tenant corporate IdPs using protocols like OpenID Connect (OIDC) and SAML.
• Cognito supports the concept of Federated Identity Providers to manage the protocol-specific configurations for each tenant.
• SaaS providers can leverage Cognito's triggers (e.g., post-confirmation Lambda) to automatically inject tenant context for Federated users.
• Handling the dynamic resolution of Federated IdPs at runtime is a key challenge that can be addressed by passing additional parameters (e.g., IDP identifier) in the authorization request.

Considerations for Federated Identity in SaaS

• Ensure a seamless onboarding experience for tenants, even with the circular dependency between tenant configuration and SaaS provider configuration.
• Manage the coexistence of standard identity workflows and Federated identity workflows in the SaaS application.
• Consider regulatory and compliance requirements, such as data residency, when implementing Federated identity.
• Optimize for cost and quotas when using Federated identity.
• Automate the Federated identity onboarding and management process as much as possible.

Conclusion

• Federated identity can provide a better user experience for tenants, but it introduces additional complexity that SaaS providers need to manage.
• Leveraging features like Cognito triggers and dynamic IdP resolution can help SaaS providers overcome the challenges of implementing Federated identity.
• Continuous feedback and improvement of the Federated identity implementation is crucial for SaaS providers to deliver a seamless experience to their tenants.