Ariel Schapiro’s Blog

Last week I’ve been working with Puru Amradkar, Eugenio Pace and people from Microsoft’s Connected Services Framework (CSF) team, kicking off a new project that is both related with LitwareHR and CSF.

I had a great time on the design sessions with people from the CSF team like Puru Amradkar, Bala Balabaskaran, Balamurugan Kuthanoor and Arun Chandrasekhar. Their collaboration on the project was really valuable.

Image 1: From left to right: me, Puru Amradkar and Eugenio Pace.

LitwareHR is a software as a Service (SaaS) reference implementation application published last February by Microsoft’s Architecture Strategy Team. As a single-instance and multi-tenant application, it covers SaaS typical aspects as the tenant provisioning, multi-tenant security, presentation configuration, datamodel configuration and business processes configuration.

So what about CSF? It helps telecommunications operators to integrate content services with their internal networks and business systems. In a SaaS hoster context, it could help with integrating their billing and order handling systems with SaaS applications developed by SaaS ISV’s.

Image 2: CSF Communication Architecture.

Some CSF Links

• MCSF website:
•  http://www.microsoft.com/serviceproviders/solutions/connectedservicesframework.mspx
• Overview demo:
•  http://www.microsoft.com/serviceproviders/flashfiles/csf/shell-csf.html
• Overview doc:
•  http://download.microsoft.com/download/7/7/5/775cb839-a749-49a7-b735-edaf05ca1501/Final_CSF%20Brochure_2.10.pdf
• Webinar on Connected Services Sandbox:
•  https://www123.livemeeting.com/cc/microsoft/view?id=FC9MQ6-5
• Connected Services Sandbox: http://www.networkmashups.com/

Fred Chong, Gianpaolo Carraro, Erik Weis and Matias Woloski gave a 3-day workshop on SaaS, at Microsoft HQ in Redmond.

Attending Microsoft employees and ISVs used a SaaS reference application based on LitwareHR to get inside of the architectural challenges solutions for data model configuration, tenant provisioning, workflow configuration and security.

Check Matias’s post for more details.

These days I’ve been investigating on what Microsoft Hosting Solutions and Microsoft Provisioning System can do, how they work and how they would be applied to SaaS hosting environments, such as LitwareHR reference application’s.

MPS is an extensible Windows-based platform that provides an XML-based framework that allows to create customized provisioning solutions for Web, data, and application hosting. This solution includes tasks such as adding new users, updating directory entries, and provisioning applications and services.

MPS’s providers make possible to automate the tasks required to provision and manage services within a data center. They accept XML requests from the Provisioning Engine and execute provisioning tasks against their respective applications.

MPS’s Provisioning Engine acts as a provisioning process coordinator and performs data monitoring and logging services. The Provisioning Engine interprets high-level XML requests and expands them into tasks.

 

1. Using the Web-based interface, submit an XML-based provisioning request.

2. The provisioning Engine parses the XML request and expands the request into multiple low-level actions. The provisioning Engine processes the request based on the MPF Configuration database.

3. The Provisioning Engine then routes the XML requests to the appropriate Providers.

4. The Provider implements the low-level provisioning tasks by making API calls to the appropriate applications. The provisioning request is complete.

Context: MPS as part of the Solution for Windows Based Hosting

Installed elements:

The following are the main things I installed to get a deeper notion of MPS. You can get them here: http://www.microsoft.com/downloads/details.aspx?FamilyId=D6EF5386-0F76-4F58-A6C6-1FE7B5BE56CA&displaylang=en

• MPS SDK:

  • Includes MPS Manager: Administration console for MPF (next bullet), used to configure and monitor the components in an MPF installation.

• Microsoft Provisioning Framework (MPF): platform for building, deploying, managing, and extending hosted services running on Windows:
  • Provisioning Framework: The framework contains both client and server components. The client and SOAP ISAPI receive incoming provisioning requests. The following server components manage transaction processing and data storage:
    • Provisioning engines
    • Queue managers (Provisioning Queue Manager Service)
    • Configuration database
    • Transaction logs
    • Audit log
    • Auditing and recovery managers (Provisioning Auditing and Recovery Service)
  • Standard providers and namespaces: MPF ships with a number of providers and named procedures that support:
    • Microsoft Active Directory
    • Execution of scripts and commands
    • Error remapping for localization and context-sensitive applications
    • Windows file system and registry
    • HTTP and SOAP requests
    • SQL Server
    • Application installation using Microsoft Windows Installer
  • API’s: contain methods used to submit requests to the provisioning framework and to develop custom providers.
• MPF Resource Kit:

Useful Links:

• Microsoft Hosting Solutions for Service Providers
• Windows Hosting Forums
• Windows-based hosting 4.5 release new features
• Mike Kostersitz’s Developing Providers for MPS

Some weeks ago, we published a screencast on Datacenter Provisioning, the process of installing in a SaaS provider datacenter, the structure needed in order to support LitwareHR’s application.

Once this is completed, tenants will be able to start trying the application. First of all, they will have to create a tenant account at LitwareHR so they can use the application.
The process that takes care of allocating the resources that tenant will use is called "Tenant Provisioning". The screencast shows the "behind the scenes" actions of this service:

Watch the screencast here and tell us what you think here.

Introduction

For the last months I´ve been working on a Project called SaaSyLongTail that consists on a sample application which highlights the key architecture principles of SaaS (software as a service) applications. In this context, one of the key pieces of the application we are building is the one who takes care of setting up the environment needed for a tenant to use the SaaS application. That is the tenant provisioning and in this post I will explain the main steps of it at SaaSyLongTail:

· Data Provisioning

· Web Server Provisioning

· Authentication Store Provisioning

· Authorization Store Provisioning

Data Provisioning

Tenant is added to the tenant Table at the provider database all along with other tables that are filled with default provisioning data.

Tenant Provisioning can be used in cases where the tenant only wants to try the application (“try before you buy”) so we think is important for the tenant to start trying the application without worrying to configure it if he doesn´t want to. We make this by inserting default tenant UI preferences, workflow rules, etc. which can be later changed by the tenant from his back office.

Web Server Provisioning

Each tenant web application (in this case “contoso” and “fabrikam”) has its own virtual directory inside of the SaaS provider Web Site (in this case “peoplewareHR” website) in the IIS. Inside of each tenant´s virtual directory there are 3 other application virtual directories: Back Office, Front Office and Services web applications. The “Services” virtual directory at the SaaS provider level provides tenant provisioning services:

All this virtual separation allows for example one tenant services to fall without harming the rest of the tenants.

The structure is purely virtual: one tenants Back Office physical path is the same as another tenant´s Back Office physical location. This way tenants configuration and data live only inside of the database and no physical changes are needed for the application in the case of tenant provisioning or deprovisioning.

Hierarchical structure: Contoso Front Office configuration extends Contoso main configuration which extends peoplewareHR configuration. This way each application only takes care about his own domain configuration.

Web Provisioning could also be distributed having the application services running in a different server than the UI (Front Office and Back Office in this case) in the case that the IT infrastructure requires so.

Authentication Store Provisioning

We use Active Directory Application Mode (ADAM) as the authentication store with one application partition for the SaaS provider (“peoplewareHR”), which stores one organizational unit (OU) for each tenant:

This structure lets each tenant to manage its own users and giving tenant-independency at the authentication level.

One detail we cannot let go is that we use a unique value for the userPrincipalName attribute of tenant’s users with a mask like “[user name]@[tenant alias]”. This is done in order to keep users principal names unique so that the roles provider can have unique references to users:

Regarding authorization, the tenant provisioning only takes care about creating the new OU for the tenant, with the default users.

What about if there are two tenants named Contoso that want to use peoplewareHR services? You can’t have two OU=Contoso in the ADAM, as well as two running virtual directories named the same (that goes for the IIS part…). We opted to keep the tenant alias as key in the ADAM and in the IIS as well just like two companies can’t have the same URL for their websites or two persons the same email address. Following the example, the second tenant named Contoso should choose a different alias like “contoso_corp”. But just as you enter your full name in an email registration the tenant should enter its own too: this is a not unique field and this is the information that will be visible in the Front Office and Back Office so that the alias remains only for identification purposes.

Authorization Store Provisioning

We use SqlRoleProvider using the tenant for the applicationId in the authorization store. This way we accomplish the scenario where two different tenants have same user names or roles:

Conclusion

In the context of SaaSyLongTail reference application, the Tenant Provisioning has a lot of work to do. This work requires the Data model, Web and Application servers, Authentication and Authorization providers to support a way of performing multitenancy in an efficient way. For each of these system components the important thing is to find the most efficient and simple configuration in order to match the SaaS application requirements.