Comments (4)
Hi all-
Apologies for the slow response to your question.
Having multiple user pools has benefits for scalability both in total size (although a single pool can be quite large) and in requests rates, as it spreads the load over multiple partitions. Multiple user pools can also be advantageous if you want to keep data for users in their own geography.
The two main downsides of multiple user pools are 1) you can’t do a single list/search for users across all the pools, and 2) your app needs to know which user pool a user belongs to before it can sign them in.
That said, unless you need different configuration settings for different customers (ex. password policies, etc.) I would try to minimize the total number of user pools as much as possible due to the management overhead. Also, with the new SAML integration capabilities, a single user pool can federate directly with multiple SAML providers then provision users from different companies/SAML providers user accounts in the same user pool, making it easier to use a single user pool, as well.
Let me know if you have further questions on the options here.
Justin
from aws-serverless-auth-reference-app.
I use S3 to statically host the app i.e. "example.com" which is my frontend website to acquire new tenants. At my admin application "console.example.com". I automate provisioning resources for new tenants from default template configuration objects "infrastructure as code" so that route53, cloudfront, s3, api gateway, lambda, iam, acm, dynamodb, and cognito are updated for "wildcard.example.com" where each unique subdomain is a tenant. Your application would be dynamically deployed as a new s3 static site per tenant. In this case along with i.e. "config/config.ts" from this demo would be part of the default configuration objects unique to each tenant. I use a lambda function node.js runtime to dynamically create custom configuration objects per tenant that are stored in dynamodb table provisioned per tenant or dynamodb stores pointers to s3 locations that contain the configuration objects. I use a regular expression on tenant attributes to direct the user to the proper app they are a member of "wildcard.example.com". No matter which frontend a user logins in at they are directed to the correct app. Take a look at IAM policy variables, and configuring wildcard domains with cloudfront s3 and route53. From "console.example.com" you can administer all your tenants configurations and users similar to a dynamic CMS, "content management system or cloud management system". You need to establish a hierarchy of default permissions on resource access i.e. so that your tenants can have pseudo-admins. I wouldn't suggest using Cognito as the sole service alone to delegate access and manage a multi-tenant SaaS application. Take a look at the whitepapers on architecting multi-tenant SaaS applications in the resources section of aws.amazon.com.
from aws-serverless-auth-reference-app.
@admin-cloudinertia thanks a lot for the detailed response, very much appreciated.
A couple of clarifications, are your creating different S3 sites , dynamo tables etc for every tenant? Looks like from AWS white papers your are using "Tenant Isolation at the Amazon VPC Layer". I am trying to achieve "Tenant Isolation at the Application Layer" where all tenants will share same code base and DB. I have tenantId in DB tables.
I have a process of tenant provisioning, so looks like I need to dynamically update "config/config.ts" file as we add more tenant.
I am planning to use Cognito and federated identities with role-based access control authentication and authorization. Below is the URL for AWS article. https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/
You mentioned, "I wouldn't suggest using Cognito as the sole service alone to delegate access and manage a multi-tenant SaaS application”. Could you please more elaborate how you are achieving this in your application?
Thanks a lot for your help.
from aws-serverless-auth-reference-app.
Hi outmarch. I'd be really interested to here if/how you achieved this as it's exactly what I'm facing at the moment.
I've followed this tutorial from serverless which is similar to this repository.
The cognito UserPool and ClientApp ids are configured for the front end (here) - again similar to the config file in this project.
Exactly like you I'm planning on having a different Cognito user pool per tenant so need this configuration to be dynamic depending on the tenant.
More than happy to collaborate with you on a demo project which would extend the flows in this project to include the registration of a new tenant.
Many thanks,
ETFairfax
from aws-serverless-auth-reference-app.
Related Issues (20)
- Side menu version HOT 1
- CAN'T CONVERT IONIC TO PWA..!!
- regenerating sdk causes issues HOT 3
- How can you add a second IdP without losing roles logic?
- "Bookings" failed on showing booked resource list-Run in a web browser HOT 1
- Store Login data and auto login
- Tighten Up Lambda Execution Role Policy By Using Policy Variable (identity ID or Subscriber ID) Fine-Grained Access to DynamoDB HOT 5
- Can not connect using putty and ec2-user HOT 6
- Is the user information in account-management.service.ts secure?
- AWSCognito is not defined in account-management.service.ts
- lambda wrapper functions break any Promise returns
- api create_sdk command fails HOT 2
- Token refresh
- Cannot run gulp deploy HOT 2
- Generated Java API SDK has lots of Syntax errors HOT 2
- Could you provide some sample Java code for Cognito UserPool Authorizer client
- Account Image is not persisted
- How can i get my temporary credentials for my federated Id token ? HOT 1
- gulp deploy fails on lambda creation - repo needs to be updated for supported nodejs version HOT 3
- Demo to migrate to AppSync and GraphQL?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-serverless-auth-reference-app.