AWS Serverless SaaS
Case Study
Our aim is to reduce both th development and maintenance costs for SaaS platforms, leading to savings of at least 30%
AWS Serverless SaaS
Case Study
Our aim is to reduce both th development and maintenance costs for SaaS platforms, leading to savings of at least 30%
Introduction
The Serverless Accelerator for SaaS development, based on AWS Serverless Architecture, is Devista’s latest R&D endeavour. Our aim is to reduce both th development and maintenance costs for SaaS platforms, leading to savings of at least 30%. This project will benefit clients in all industries, but particularly those in InsureTech and HR.
The Problem
Traditional Software as a Service (SaaS) platforms face a set of challenges that can impact their efficiency and effectiveness. The scalability of these platforms often requires manual intervention, leading to difficulties in meeting fluctuating demand. Maintenance responsibilities, such as server provisioning and patching, burden the development teams and distract from their core activity. A high and unpredictable cost structure, driven by the need to pay for servers whether fully utilised or not, can strain budgets. But most importantly, the increased setup and configuration requirements may slow down the time to market, affecting competitiveness.
The Solution
With an objective to fast-track our customer’s SaaS offerings to market, this accelerator is about more than efficiency—it’s about enabling transformation.
The Serverless Accelerator is a paradigm shift in SaaS development. Crafted with a vision of expediting market readiness for our customer’s SaaS products, the accelerator aims to bridge the gap between conception and realization. It significantly cuts down development time, allowing faster and more efficient product launches.
The components
The accelerator comprises several integral components that combine to form a comprehensive solution for SaaS development:
Tenant and User Management
Ensuring effective control of software users and tenants, driving ease of administration.
Authentication and Authorization
Backed by AWS Cognito, it ensures robust and secure user identity verification and access management.
Tenant tier control
Different tiers are provided to tenants so that the optimal price to value ratio can be achieved depending on the client needs. For the highest (PLATINUM) tier tenants the accelerator provisions dedicated instances of AWS resources ensuring top-tier service.
By leveraging an array of AWS services:
- AWS Lambda is used to implement the accelerator’s logic.
- AWS Cognito, provides authentication and authorization, fully compatible with third party identity providers such as FB, Google.
- DynamoDB offers a robust platform for storing data.
- API Gateway enables the exposure of REST endpoints, implementing the accelerator’s connectivity.
- CloudFormation and AWS SAM, to deploy the entire application.
- Cloud Development Kit (CDK), CodeCommit, CodePipeline, and CodeBuild underpin the DevOps aspect of the accelerator, making the PLATINUM tenant provisioning process easy.
Tenant management
Behind the Scenes
The tenant registration flow embodies a robust and secure process, hinging on the intricate orchestration of various AWS services.
Tenant Information Submission
The initial data, comprising the tenant details, is provided by the customer and dispatched to an open endpoint offered by the AWS API Gateway. It is crucial to note that this endpoint operates devoid of any attached authorization, ensuring broad accessibility for initial data submission.
Invocation of Primary AWS Lambda Function
The API Gateway triggers a specific AWS Lambda function, responsible for initiating the tenant onboarding procedure. This central Lambda function collaborates with other ancillary, private Lambda functions to accomplish the required registration logic. These private Lambda functions are securely cloistered within the AWS ecosystem and are invocable only by certain other Lambda functions possessing the prerequisite IAM roles. Any external or unauthorized internal invocations are effectively prevented, reinforcing the security of the process.
User authorization
The user authorization flow, a crucial part of our Multitenancy SaaS solution, undergoes the following steps:
User Web Page Load
Upon loading the SaaS web page, the Frontend (FE) logic extracts the tenant’s name from the URL. This name is used to communicate with a public AWS API Gateway endpoint and retrieve the necessary Cognito user pool id and app client id for authentication.
User Authentication
After providing their credentials, the user undergoes validation against the corresponding tenant’s user pool. If validated successfully, AWS Cognito generates a JSON Web Token (JWT) for the user and returns it to the FE. This JWT token becomes a requisite for accessing any further endpoints requiring authorization.
FE Requests with Authorization
The FE calls an endpoint that mandates authorization, using the obtained Cognito JWT as the credential.
JWT Validation and IAM Policy Creation
Upon receiving the JWT from the API Gateway, the Lambda authorizer, a specialized Lambda function, validates the JWT. Post-validation, the authorizer constructs Identity and Access Management (IAM) resource policies that delineate user access levels, and prepares the necessary credentials for AWS resource access. This step encapsulates the crux of resource access control and tenant isolation. It dictates precisely which endpoints a user can invoke and which resources they can access, offering granularity down to specific database tables and permissible actions.
IAM Policy Evaluation and Endpoint Access
Leveraging the generated IAM resource policies, the API Gateway checks whether the user is authorized to access the requested endpoint. If the user passes the IAM policy checks, the API Gateway calls the requested endpoint, supplying the credentials for AWS Resource access.
The user authorization flow demonstrates a pragmatic and secure approach to handling multi-tenancy and authorization in a SaaS application, offering tenant isolation, fine-grained access control, and user validation.
Success Stories: Accelerator in Action.
Serverless Accelerator has already been proven in the real world by being successfully used by Nova M4, an HR gamification tool. This accomplishment not only underlines the effectiveness of the accelerator but also stands as a testament to Devista Consulting’s commitment to fostering innovation and driving success for our clients.
Nova M4 Product Owner:
“The accelerator exceeded our expectations. We knew it would reduce the time to market, but not by that much”.
Are you ready to build something remarkable?
Choose how you would prefer to collaborate:
- End-to-End Development – we co-create change with you through business-minded tech solutions.
- Team Augmentation or Dedicated Team – aiming to support you in creating meaningful change, we lend you professional talent to help you supplement your in-house team or to bridge the internal skills gap.