Matias Woloski’s Blog

My interest in Software as a Service (SaaS) born during a trip to Microsoft in 2006. Looking for an interesting topic to elaborate on my graduate thesis, I started digging on different areas and asking different colleagues and friends. Initially, influenced by the work of Arvindra Sehmi, I got interested in agent programming (BDI agents, multi-agents systems, etc). Later, Eugenio Pace, a mentor and friend, commented me about an emerging model of software distribution. After a couple of months, Alejandro Jack (mentor and friend also), contacted me with John DeVadoos (former director of the Architecture Strategy Team at Microsoft, now leading the patterns & practices team). This group was formed by Gianpaolo Carraro and Fred Chong initially and last year Eugenio joined them and Fred left. Their daily job consists of researching the Software as a Service model from the architectural point of view. As part of this challenge, the group establishes relationships with clients interested in the model and with product teams looking for feedback to shorten the gap on the platform. The group also publishes a number of papers and proof of concepts using Microsoft technologies. I did a good connection with them and finally decided to pick Software as a Service as the topic for my thesis.

Throughout the last two years I’ve been collaborating with this group writing proof of concepts, preparing and delivering workshops. On the right, it’s me working with Eugenio (on the left) at building 20 one year ago (Gianpaolo is taking the picture). The post-its on the wall are the user stories for Northwind Hosting (I was happy to see Google App Engine six months later as a validation of our thinking).

I’ve witnessed the growth of Software as a Service since it was in the initial stages up to now that has started being adopted by the industry and lately has been extended to a broader term: Cloud Computing.

The thesis is the sum of all the experience I gather along these years and it’s an attempt to summarize and compress the taxonomy of Software as a Service applications on a single model; that is more about “breadth” than “depth”. This model was based on Feature Modeling, a technique used in Software Product Lines (SPL). Feature Modeling is a method and notation to elicit and represent common and variable features of the system in a system family. It was first proposed by Kang et al in Feature Oriented Domain Analysis by the Software Engineering Institute (SEI, 90). It’s been used lately in Generative Software Development (Czarnecki, 2005), which aims at modeling and implementing system families in such a way that a given system can be automatically generated from specification written in one or more textual or graphical domain specific languages (DSLs). Since SaaS and Cloud Computing are evolving fast I wanted to separate the problem space from the solution space allowing the individual development and growth of each of them. Feature Modeling helped because it was focused on the capabilities. I didn’t try to use Feature Modeling to automate the generation of this kind of systems, though. The priority was having a model that allow me to frame and explain Software as a Service systems.

Separation between problem and solution space (Overview of Generative Software Development, Czarnecki)

Part of defining the problem space consisted of doing a domain analysis. This is an activity of SPL aiming to characterize a domain by understanding their commonality and variability. If you follow this blog you might have read the cloud computing taxonomy map post. That was an exercise during the domain analysis that helped me understand the different scopes, offerings and features of Software as a Service.

Domain analysis of Software as a Service

With this information, I’ve spent a couple of days pasting post-its on the wall, trying to group the features and capabilities in a way that makes sense. The end result was this “onion” diagram where each category holds the different features of Software as a Service.

The model is later refined, from the taxonomy above to the capability layer (problem space) and finally to the implementation layer (solution space) as shown in the following figure.

The thesis then describes each of the capabilities in a high level fashion and then proposes patterns, architecture styles and technologies to implement those capabilities.

The following feature tree is an instance of the capability layer of the model for the LitwareHr application (grayed capabilities are not part of LitwareHr system). This content is in Spanish, but it will be soon available in English.

The thesis also includes other non technical aspects like

• Adoption and diffusion analysis of SaaS based on market research
• Barriers for adoption
• Historical context (starting from specialization in the 19th century, passing through outsourcing, mainframes and what not
• Roles and ecosystem

I want to thanks again to all the people that helped directly or indirectly: my family and fiancee, Alejandro Jack, Gustavo López, Eugenio Pace, Gianpaolo Carraro, Fred Chong, Arvindra Sehmi, Ariel Schapiro, Angel “Java” Lopez and to all Southworks.

Fell free to download the Spanish version and let me know if you find it useful to matias at southworks dot net.

Lately the term SaaS became a broader term and now it is called Cloud Computing (see David Chappell’s paper and Wikipedia). It includes the whole paradigm of utility computing + saas + platform as a service + * as a service.

I’ve got good feedback on the taxonomy map from the blogsphere (including Jeff Kaplan, from THINK IT Services). I updated the map some time ago but didn’t have time to publish. So here it is rather sooner than later. (I need Pablo’s help to do the animated GIF, so this time is static)

Implementing authentication and authorization mechanisms for applications is something we do over and over. However designing the identity architecture to be adopted across an enterprise is a more challenging task. Based on my experience, reusability ends up happening at the application level as opposed to the enterprise level. So, designing this architecture requires think about: different trust boundaries, complex access checks and centralized management.

The solution that I’ve been using lately with good results is Security Token Service. Today, standards like WS-Trust and SAML among others are mature enough and technology stacks like WCF or Sun Metro fully support them, making it easier to have an interoperable and strategic infrastructure in place. The Security Token Service provided me with a generic and customizable architecture component that became part of my architecture toolbox.

However, the concepts behind Security Token Services are not trivial to understand, and the value they provide is sometimes hidden under its complexity. The good news is that Microsoft has started to invest on a high-level identity framework that will work on top of CardSpace, WCF and ASP.NET. The new kid on the block is codenamed “Zermatt” and will help approaching the separation of concerns on authentication and authorization; the federated security scenario; tackling real claim-based authorization on both presentation and service layer; and potentially integrate with “cloud” infrastructure like the Internet Service Bus.

Extrapolating the scenario I wrote about in March 2007 we might be able to create something like the following diagram with much less code:

Finally, I recommend you to add Vittorio’s RSS to your feed reader because he will share, as usual, much more info (already started actually).

Thinking about SaaS, for quite some time now, I wanted to share this animated GIF diagram with you (it took lots of cycles to get here:). 

Make sure to open the post from the browser to see the animated gif.

I talked briefly about it in the last RAF (you can see the video in spanish [minute 16:30]) and will write about each this in future posts.

Update: here is the video of the presentation (thanks to Martin Salias)

Couple of week ago the Regional Architect Forum took place on Sheraton Pilar (Buenos Aires, Argentina). Ezequiel Glinsky and Juan Ladetto kindly invited us to talk about a recent case study we did with an insurance company Grupo Sancor Seguros where we created the foundations for an S+S platform.

I had the opportunity  to deliver a presentation together with Nicolas Sabena who is part of Grupo Sancor Seguros development team. During the presentation we talked about how we chose a couple of use cases related to policy issuance as an excuse to:

• Teach them the Agile methodology that we use at Southworks
• Start building the foundation of a corporate S+S platform.

The picture on the right shows how we approached the S+S platform requirements. I will extend on that in a future post.

I also had the chance to meet with many people and exchange experiences around S+S, day to day architecture and lots of juicy things.

Reading a post from Diego Dagum’s blog I remembered about an interesting topic related to SaaS. In his article, Diego, talks about an experience he has with a customer that developed an application for multiple customers (multi-tenant). They had a performance issue because they were using shared-schema (i.e. extended fields stored in a separate table as rows pointing to the shared data table).

Figure 1 - Shared schema approach (Multi Tenant Data Architecture paper)

Diego and his colleague tried to convince the customer to move to the separate schema approach. In this approach each customer has its own table and every time he wants to customize an ALTER TABLE is used)

The customer immediately refused the ALTER TABLE because of the myth that altering the schema of a table is a *HEAVY *operation.

It seems the story ends with the customer afraid to go with that approach, but this is a very interesting issue for multi-tenant applications. Modern databases implement ALTER TABLE very fast depending on the structure of the table and the change that wants to be done.

Let’s enumerate the common scenarios and how SQL Server manage this:

• Adding a column: when you add a *NULLable* column to a table only metadata changes (syscolumns).
• Dropping a column: the same applies when you drop a column
• Changing a data type: this is tricky. Changing the data type to something larger should only be metadata change and the physical change in the rows should not happen until the rows are updated. When changing the data type to something smaller, SQL Server will have to validate to make sure current data fits in the smaller type

There is an interesting (paid) article that explore the insides of ALTER TABLE: http://www.sqlmag.com/Article/ArticleID/40538/sql_server_40538.html

PS: Talking about Diego, if you read Spanish make sure to read his architecture bulletins. There are already 3 of them:

Abril 19, Boletin Oficial de Arquitectura #3

Abril 05, Boletin Oficial de Arquitectura #2

Marzo 18, Boletin Oficial de Arquitecture #1

We spent three days with a mix of theory and practice on Software as a Service.

The hosters: Fred Chong, Gianpaolo Carraro, Erik Weis and me.

The consumers: microsoft internal employees and ISVs.

Day 1

• SaaS Ecosystem: Gianpaolo presented the different players in SaaS.
• Multi tenant architecture principles: general architecture principles like data, workflow, security and provisioning.
• Multi tenant data architecture: Fred Chong talked about the famous paper about the different approaches.
• Hands on Labs: Data model extensions

Day 2

• Consuming SaaS in the Enterprise: where is the enterprise fits as a consumer
• SaaS Hosting Platform: the idea of a multitenant platform where ISV can plug applications
• Monetizing SaaS: how you can protect and license your SaaS app. The guys from SecureLM (that was acquired by Microsoft) have a great product.
• Hands on Labs: customizing workflows using Workflow Foundation

Day 3

• Securing SaaS application: Fred, the "security guru", presented different approaches about identity and federation in the context of SaaS
• Hands on Labs: creating security token service to manage authentication and authorization
• Hands on Labs: provisioning a tenant on IIS, ADAM, SQL Server

People found the labs very in depth showing the latest technology and how that applies to SaaS. Specially the ones about workflow and security. That means that the team at Southworks did a great job!

I’m presenting SaaS with Roberto Schatz, Ramiro Iturregui and Ariel Schapiro at Microsoft Argentina headquarters. The talk will be oriented to ISVs and architects who wants to know about the business model and the architectural technical challenges.

We will explore the LitwareHR application published on february.

Register here!

A couple of years ago, the platform was not rich enough to create complex security solutions for service oriented applications based on standards. WSE was a half way path. With the advent of WCF we finally have a foundation to build a security subsystem flexible and robust for the enterprise.

The following illustration shows the different components involved and how they interact between each other.

Most of enterprise line of business apps have used a login to authenticate their users and roles to authorize them. When webservices were not there, the business logic was hosted in the application itself and advanced users hosted in COM+. The authentication and access checks were mixed in the same code that performed the business logic. Sometime later enterprises started to realize that integration between applications was getting harder: SOA implemented with webservices came to the rescue.

Now, the business logic lived in the application server and was accessed through webservices. The problem became to "how can I secure my services?". I’ve seen many different implementations: using kerberos, using custom tickets, certificates, etc. However they were coupled to the platform or they were custom solutions. Single sign on and access check across applications of different platform is hard to accomplish: WS-Trust, STS and SAML comes to the rescue.

Let’s describe the scenario:

1. A user browses to Login.aspx, enters his username and password and click "Login". As this is the only time when we have username and password available from the user, we can fill the UserName token on the proxy. We call a Ping service which is just a dummy service that we use to obtain a SamlToken.

using (SystemServiceChannel channel = new SystemServiceChannel())
{
    channel.ClientCredentials.UserName.UserName = LoginControl.UserName;
    channel.ClientCredentials.UserName.Password = LoginControl.Password;
    channel.Ping();
}

2. The client endpoint is configured to use wsFederationHttpBinding and the issuer of the token is the Authorization STS. Since the client does not have a SamlToken yet, it will send the UserName token to the Authorization STS so he can issue one. Below is the binding.

<binding name="SecureConversationBinding">
  <security mode="Message">
    <message issuedKeyType="SymmetricKey" 
             issuedTokenType="http://….saml-token-profile-1.1#SAMLV1.1">
      <issuer address="http://services.litwarehr.com/Authz/STS.svc"
        binding="wsFederationHttpBinding" bindingConfiguration="AuthorizationSTS">
        <identity>
          <dns value="SaasyLongTailCert" />
        </identity>
      </issuer>
    </message>
  </security>

3.  The Authorization STS trust on the Authentication STS and request him a SamlToken. The Authentication STS message security is configured to use wsHttpBinding with UserName token.

<binding name="AuthorizationSTS">
  <security mode="Message">
    <message issuedKeyType="SymmetricKey"
                     issuedTokenType="http://…-saml-token-profile-1.1#SAMLV1.1">
      <issuer address="http://services.litwarehr.com/Auth/Sts.svc"
        binding="wsHttpBinding" bindingConfiguration="AuthenticationSTS">
        <identity>
          <dns value="SaasyLongTailCert" />
        </identity>
      </issuer>
    </message>
  </security>
</binding>

<binding name="AuthenticationSTS">
  <security mode="Message">
    <message clientCredentialType="UserName"
                     negotiateServiceCredential="true"
                     establishSecurityContext="false" />
  </security>
</binding>

4. The Authentication STS service has a custom UserName Password validator behavior configured. Before the request actually gets to the STS it will go through the username/password validation. LitwareHr default implementation uses ADAM.

<serviceBehaviors>
   <behavior name="AuthenticationSTS">
      <serviceCredentials>
        <userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="CustomValidator, Sts"/>
       </serviceCredentials>
   </behavior>
</serviceBehaviors>

5. If the authentication was succesful , the Authentication STS will issue a basic SamlToken containing the identity name of the caller.

Collection GetIssuedClaims(RequestSecurityToken rst)
{
    string caller = ServiceSecurityContext.Current.PrimaryIdentity.Name;
    Collection samlAttributes =
                    new Collection();
    samlAttributes.Add(
        new SamlAttribute(
        new Claim(ClaimTypes.Authentication,
                  caller,
                  Rights.PossessProperty)));

    return samlAttributes;
}

6. Since the Authorization STS trusts on the SamlTokens issued by the Authentication STS, it will grab the token, extract the username claim and retrieve the actions available for the user. This happens in the IAuthorizationPolcy configured on the STS.

public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
    // check if this context was updated for this user
    if (state == null)
    {
        // Create an empty list of Claims
        IList claims = new List();
        // Add list of actions the user can perform
        string user = GetUserFromClaimSets(evaluationContext.ClaimSets);
        foreach (string action in GetActionsForUser(user))
        {
            claims.Add(new Claim(
                    ClaimTypes.AuthorizationDecision,
                    action,
                    Rights.PossessProperty));
        }
        …
     }
}

7. The SamlToken enriched now is ready to go through the service pipeline.

8. This is where the access check happens. The ServiceAuthorizationManager class has access to the AuthorizationContext which exposes the SamlToken with the claims.

public override bool CheckAccess(OperationContext operationContext)
{
    // Extract the AuthorizationContext from the ServiceSecurityContext
    AuthorizationContext authContext =
        operationContext.ServiceSecurityContext.AuthorizationContext;

    // Guard denies exectuion if the action is not in the token as a claim
    string action = operationContext.IncomingMessageHeaders.Action;
    IEnumerable authorizationDecisionClaims =
        claimSet.FindClaims(ClaimTypes.AuthorizationDecision, Rights.PossessProperty);

    foreach (Claim claim in authorizationDecisionClaims)
    {
        string authzAction = claim.Resource as string;
        if (!string.IsNullOrEmpty(authzAction) &&
            authzAction.Equals(action,
                              StringComparison.InvariantCultureIgnoreCase))
        {
            return true;
        }
    }

    // If no AuthorizationDecision claim had a resource value that matched the 
    // current action name, return false (Access Denied)
    return false;
}

9. Finally, the SOAP message gets to the service implementation and the response is sent back to the client with the SamlToken attached.

10. The SamlToken is cached on the client using an HTTP cookie. This is achieved by using a custom IssuedSecurityTokenProvider.

Conclusion and a bit of SaaS

WCF provides an extensible foundation that allow taking the service oriented on the enterprise to the next level using standards like WS-Trust and SAML.

Since SOA is part of the deal for Software as a Service apps we implemented this architecture on LitwareHR to get ready for future scenarios like Federated Security. In this scenario the tenant wants to manage authentication and authorization using its own infrastructure. He owns an STS that issues SamlTokens for every app in the enterprise and the IT guys don’t want to manage yet another user/password. The SaaS provider (LitwareHR) will allow the tenant to configure the claims mapping and the tenant STS to rely on. By doing this, the IT administrator for Contoso (the tenant) will manage a single authorization store and will configure the claim mappings on the "cloud" apps: the "Administrator" role in my enterprise is the "ConfigureAndCustomize" role in the SaaS application.

If you want to see a working implementation of the scenario described in the figure above download LitwareHr Software as a Service sample application and look for Shp.Security.BrokeredReceiver and Shp.Security.BrokeredSender projects. If you are taking SOA seriously, then it might worths looking at it.

Back in June 06 we started this project with the Microsoft Architecture Strategy Team. Gianpaolo announced it on thursday, it went live:

Repository of the code and related documentation (including webcasts):

http://msdn.microsoft.com/architecture/saas/sampleApp

Community site where architects and developers can discuss in forums, report bugs, suggest and vote on new features, contribute code:

http://www.codeplex.com/litwareHR

Bonus material, “behind the scenes”, “deleted scenes”:

http://www.skyscrapr.net/architects-in-action.aspx

I've been part of this project since the beginning and I gathered lots of knowledge to feed in my thesis. I will hopefully keep researching and working with the AST on all these exciting concepts and the architecture behind it.