I just finished conducting a 3-day SaaS architecture workshop for our internal employees and ISV partners last week.

The workshop content includes presentations on a bunch of SaaS architecture topics, such as:

  • SaaS architecture tenets: Gianpaolo introduced the technical shift towards a meta-data driven paradigm for maximizing the sharing of compute resource within a multi-tenant environment and enabling tenant specific customizations.

  • Multi-tenant data architecture: Architecture is about making tradeoffs, so in this session I laid out the pros and cons of the three distinct data architectures mentioned in our multi-tenant data architecture paper. I also touched on the security implications and solution patterns that address data privacy and access concerns, the different approaches of enabling data model extensions, and techniques for scaling multi-tenant data architecture.

  • Securing SaaS applications: Identity management is the key subject of this session, covering federation, using security token services, integrating role and rule-based access schemes. I also explained flowing tenant context securely between application tiers using trusted subsystem and delegation approaches.

  • SaaS Hosting Platform: I started with an overview of the expected capabilities of a SaaS hosting platform and then switched gear and took it from the ISV angle to dive deeper into the subject of design for hosting (DfH). I described the objectives and process of application health modeling - a crucial DfH step for mining information and requirements that will help surface the instrumentations and management rules to be consumed and enforced within a SaaS hosting environement.

  • SecureLM - a solution for monetizing SaaS applications: Microsoft recently acquired SecureLM. To protect software IP, SecureLM's technology injects code into application modules so that only licensed subscribers are authorized to use the SaaS applications. The SecureLM solution can be used for both Windows and browser-based applications. The SecureLM technology also addresses the separation of concerns between technical and business decisions. Licensing terms are not hard coded into the application modules. Instead, SecureLM tools allow licensing and software packages terms to be separately defined from the implementation of the application features.

The hands-on-lab for the workshop is based on the Litware HR sample application and is developed by our development partners at Southworks. Matias flew out from Argentina to help faciliate the lab sessions at the workshop. In my (most probably biased) opinion, this is an excellent set of lab materials:

  • Lab 1 is all about extending data model. We show you how you can implement the "shared database shared schema" data architecture using SQL Server 2005. Data models are extended using the name-value pair pattern. Furthermore, this lab also shows you the kinds of meta data you need to factor into your design to describe the persisted data model extensions and the customized business entity view that is seen by the users.

  • Lab 2 uses Windows Workflow Foundation to demonstrate how a simple templatized designer can be implemented to enable workflow and business rules modifications.

  • Lab 3 can be very insightful to those who have been thinking about using Web services standards to secure their SaaS applications. In this lab, we used the Windows Communications Framework (WCF) to implement a security token service that issues SAML tokens to authenticated clients. We also show how authorization policies can be inserted as signed identity claims inside the SAML tokens.

  • Lab 4 intends to show ISV the tenant provisioning tasks for on-boarding customers. This lab is based on the Litware HR tenant provisioning scenario and therefore we have greatly simplified the task list to exclude provisioning real world OSS/BSS components such as the billing infrastructure. Neverthless, the lab is still very valuable for getting to know the kinds of application platform provisioning that has to happen (such as creating IIS virtual directory and tenant specific database rows and views).

So that's the SaaS architecture workshop in a few paragraphs, consider it an early Christmas gift from us to you. You can download the workshop slides and hands-on-labs by clicking on Santa:

For those who are enrolled in the Microsoft ISV partner program, you may also want to watch for the worldwide launch of SaaS architecture events and programs conducted by our field technologists using the same workshop content.