Saturday, March 26, 2016

SaaS Developer Guide - Sample Application - Cloud Learner

Using a sample application is going to spice up the SaaS Developer Guide blogposts. It is going to help in explaining deep technical concepts in an easy understandable way. A picture is worth thousand words. Similarly a sample app is worth ten thousand words. So this is the sample application that will be used by all SaaS Developer Guide blog posts.

Cloud Learner Business Architecture

Cloud Learner is a cloud based distant educational system. It allows lecturers to offer online courses. Students can sign up to classes. Each class has a forum and notification board, where online lecture times and other notifications are hosted. Cloud Learner is not going facilitate conducting online classes as it is a complete different application domain. The creator of Cloud Learner has made a deal with another SaaS provider that specializes in communication and unified communication solutions, namely UniCom. In short, UniCom offers online conferencing capabilities, that Cloud Learner lecturers are going to use to conduct online classes.

Cloud Learner User-story

Users can signup to Cloud Learner.
  • Users can sign up as a lecturer - Lecturers can create courses and advertise them in Cloud Learner. Lectures start the class and each class would get,
    • Notice board
    • Forum
    • Evaluation tests
    • Online conferencing facility for conducting classes
  • Users can sign up as students - Students can view the offered courses and subscribe to them after paying subscription fees. Students has access to forum and notification board once subscribed.

Cloud Learner Subscription Levels

Students can register and browse Cloud Learner free of charge. However lecturers have to pay subscriptions. There are three subscription categories available.

  • One repetition of one course
  • 25 student subscriptions
  • One course
  • 25 student subscriptions
  • One course
  • Unlimited number of student subscriptions
  • Four courses
  • Unlimited number of student subscriptions

Each class can have  up-to maximum of 8 online conferences, and the the charges are included in the subscription.

High-level architecture for Cloud Learner

Cloud learner has several modules.

Class CRUD Service - Create, read, update and delete all class related functionalities such as forum, test and notices

Course CRUD Service - Create, read, update and delete all courses

Subscription Management Service - Manages subscription of students to services

User registration and Management Service - Handles all user related matters

Conferences are created for each online lecture in external communication provider upon request of the lecturer.

Tuesday, March 22, 2016

SaaS Developer Guide - Part 1 - The Basics from SaaS Providers POV

This is the first blog post of a series, that is going to explain concepts and guide lines on how to build a successful SaaS application to deliver your services over the cloud. It aims to present the concepts and then dig deep into technical nitty-gritty behind SaaS concepts such as auto-scaling, resilience, user-experience, economy of scale and etc... All blog posts can be found under the tag SaaS Developer Guide

Cloud providers have spoiled the current SaaS consumer market with cool features. There are lot techniques and technologies, that are used to deliver SaaS as it has become a very mature form of software delivery.  Each day we hear SaaS providers delivering awesome user experience, and the question is how would you meet their sky-rocketing expectations?  Firstly, as a SaaS provider, it is important to have a deep understanding of SaaS characteristics, because it leads to best architectural principles, design patterns, implementation and deployment practices. 

SaaS characteristics,
  • The software is centrally hosted by the vendor
  • Provides self-service mode of operation
  • License is subscription based, and supports "pay-as-you-go" model

The software is centrally hosted by the vendor

SaaS software needs to be designed such that it can serve thousands of concurrent users. Use access it via browser over the Internet. It must have properties such as,
  • Highly Scalable - Modern software depends on horizontal scalability, i.e. software is designed as a distributed system or as a set of distributed services. In a distributed system the services coordinate over a network by passing messages to achieve a common task. This brings the advantage of ability to maintain each service independently from other parts of the system, allowing continuous delivery and controlled upgrades. Each service is cohesive and stateless,  allowing the system to be rapidly scaled up and down as desired.
  • Resilient - SaaS needs should have self-healing fault tolerant features as it is deployed on an IaaS layer most of the time. If an instance goes down, there must be measures to bring up another instance automatically. If an instance is malfunctioning, that needs to be identified quickly and removed from the distributed system.
  • Optimized resource consumption - In order to optimize the usage of IaaS by the SaaS, it needs to be dynamically scalable. As the demand goes high the system should scale up and when the demand goes down it should scale down. Lazy loading of containers and tenants is another approach of minimizing the IaaS layer consumption. In short terms this is called the "economy of scale". This means how many users the application will serve using X number of resources. This is a broad area that starts with  the architectural level decisions such as "container-zing" vs "multi-tenancy" and goes all the way down to coding, caching data, CDN networks to browser caching.
  • Security - Security is another major area that a SaaS provider needs to be concerned about. This includes security of the data as well as the perimeter security. Data needs to be backed-up regularly and only authorized parties must have access to the data. APIs are to be protected and proper perimeter security must be in-place

Provides self-service mode of operation

SaaS is a user-facing software and needs to be maximally UX engineered. User stories must be written and tested. User behavior can be recorded (by recording user clicks) and analyzed to identify gaps. UX all the way is very important. Some of the characteristics of self-service mode of operation are,
  • Self-registration - Users register organizations and users
  • Password resetting, user/profile management, authorizations
  • Subscription management 
  • Monitoring their usage and rates
  • Ability to monitor business activity
  • Provide certain degree of customization
  • Configurable dashboards 

License is subscription based, and supports "pay-as-you-go" model

Monitoring usage and metering is the key to support subscription based model of payments. Users pay per use and different bands of usages are available. When it comes to "pay per use", usage needs to be monitored at granular level. Each metering attributed needs to be recorded so that it is counted in the billing process. Recording the actions of thousands of users is a challenging task because of the volumes. Further the recorded data needs to be summarized periodically to execute throttling on usage and to generate the monthly bill/overages. There are well established architectural and design patterns that allow SaaS applications to handle large data volumes and generate billing information.

Saturday, March 12, 2016

Enterprise Identity Patterns with WSO2 IS: Complying to SOX with SaaS Applications

The Sarbanes-Oxley(SOX) act of 2002 is a legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures[1]. The act require the identity and access management (IAM) program of an enterprise to meet the following to become compliant with the standards.
  • Securely manage and assign and control user access rights
  • Disseminate tasks and associated privileges among multiple users
  • Adjust user access rights when responsibilities change
  • Revoke user access upon termination
  • Provide uniform access policy
  • Manage access based on business roles
  • Manage allocation of user credentials

In an enterprise, managing user credentials and access rights in a decentralized way to meet the above requirement is highly inefficient, costly, error prone and eventually will not meet the requirements. This is because today's enterprise has a large number of different systems commissioned over a time. The complexity becomes worse as some systems are cloud based SaaS applications while others are on-premise.

How do you establish a centralized IAM program to achieve the above requirements?
  • Centrally manage credentials, access controls and profiles
  • Connect all possible on-premise systems the centrally managed IAM system
  • Provision users, profiles and access control to cloud and external domains
  • Use single sign on protocols to validate credentials at central point and provide a token to authenticate to on-premise and cloud system
WSO2 Identity server is a central backbone that connects and manages multiple identities across applications, APIs, the cloud, mobile, and Internet of Things devices, regardless of the standards on which they are based built on. This is how one can use WSO2 Identity server to achieve the above requirements.

WSO2 IS connects to the enterprise LDAP, and the unified system meets above requirements. The principals of the design are,
  • Configure WSO2 IS to maintain users and roles in the LDAP
  • Design LDAP groups based on on business roles. Use required level of granularity provide segregation of duties. As users change business roles assign them roles at WSO2 IS admin console - the centralized IAM system
  • Assign correct access controls to different business roles
  • Configure SSO with on-premise and cloud services (SaaS and PaaS) based on SAML2, OpenID Connect and open standards
  • For propagating access controls,
    • Use SCIM or web APIs to provision/deprovision users into external system
    • On-premise systems are in the same identity control domain. We can have a choice of provisioning, or providing roles along with the authentication toke, or LDAP synching.  Use one of the methods compatible with the system.
  • Write connectors for automatic provisioning and de-provisioning of users