Search code examples
amazon-web-servicesmulti-tenant

Amazon and multi customer support in shared multi-tenant model

Are there any ready services (by amazon or partners) that help you manage multi-customer aspects of a "pool" [1][2] type service - where all the multi-tenancy is handled by internal context switching, databases are shared, etc.

AWS tools (marketplace, billing manager) seems to be geared toward "provision new service / host by customer" while what I'm looking for is the customer and license management, user association, authentication (including federated authentication integration with multiple customer portals) and perhaps even listing and catalog services - but when a new customer purchase (or change) a license / user / configuration - I expect to get an API call to my already existing solution - in which I'll decide what to do.

Seems like there should be many services like that - but either they are proprietary, or I'm using the wrong keywords to find the information.

[1] http://www.slideshare.net/AmazonWebServices/arc340-multitenant-application-deployment-models/9

[2] https://www.youtube.com/watch?v=DMP0leGZpo4

Solution

  • Here are the results from my own research on the subject:

    There are two identity management type solutions - one that acts as a portal for the user, showing multiple applications, and the other that acts as a user database with login facilities. The first one was not applicable to my case so I didn't look at it. Some examples of the first type: Okta, SecureKey, OnCloud, Sailpoint.

    Of the 2nd type, I looked at the following dimensions: Support for multiple federated Idps, support for SAML federation, Support for API control, UI dashboard (with note for per customer filtering), Support for active directory sync, Support for SP multi tenancy, Support for home realm discovery, Certifications, Ability to embed the solution, Price.

    My short list was Auth0, AWS cognito and Stormpath.

    Auth0:

    • Supports multiple federated Idps with multiple technologies (SAML supported)
    • Supports full API control
    • Has UI dashboard, lacks per-customer filtering
    • Support active directory sync using an agent
    • Lacks SP multi-tenant support
    • Can support MT by metadata on user (virtual separation)
    • Lacks home realm discovery
    • Can support HRD programmatically by holding a mapping table
    • Has HIPPA (US gov health) certification
    • Can be embedded within a solution or used as an online service
    • High cost per month 1000$/2500 active federated users per month at a plan lower than the one we needed

    AWS Cognito:

    • Supports multiple federated Idps through SAML
    • Supports full API control (? TBD verify)
    • Has UI dashboard, supports per customer filtering
    • Doesn’t support active directory sync
    • Limited to 60 customers (user pools)
      • Need to be negotiated with Amazon
    • Supports SP multi tenancy (user pool origin and metadata)
    • Unknown home realm discovery - TBD
      • Currently available on US-East, Ireland and Tokyo
    • If successful, most likely to be available in othe regions and gov-cloud in the future
    • Low cost – per month 275$/50k monthly active users Note – our use case is not the primary use case for this service (may lead to dead ends)

    Stormpath

    • Supports multiple federated Idps using SAML
    • Supports full API control (? TBD verify)
    • Has UI dashboard, supports per customer filtering
    • Support active directory sync using agent
    • Lacks SP multi-tenant support
      • Can support MT by metadata on user (virtual separation)
    • Lacks home realm discovery
      • Can support HRD programmatically by holding a mapping table
    • Can be embedded within a solution or used as an online service
    • Low cost – 500$/500k API calls per month for a package at a lower level than what we need