Position of the problem
Most SaaS systems integrate the application and the sales system in one software.
If several web applications are to be distributed in SaaS mode by the same entity, the first problem to be solved consists in providing single sign-on service (SSO) between the sales system and the different applications. No problem, that’s the role of an OIDC server, OAuthSD does this very well.
The second problem, more interesting, consists in transmitting information from the sales system to applications.
Regarding the validity of the subscription and the (paying) options, this data must be secured, ie allow the recipient application to control :
integrity (the data have not been falsified),
the authenticity of their origin (they were indeed delivered by the SaaS system),
the actuality (these are indeed data valid at the time considered),
the destination (these are data relating to this application),
and of course the identity of the end user (it is not an intruder who uses the application).
The solution : OAuthSD
OAuthSD allows integrating SaaS data as additional declarations in JWT token payload. The recipient application (client of the OIDC server) will only need to validate the identity token by introspection (and not locally to ensure the token validity at this time) to carry out the checks described above in a single operation.
The system DnC SaaS and one of its applications NSS Lite perfectly illustrate this technical.
To achieve this we have :
integrated in the same application the OIDC server and the sales system,
developed OIDC-SaaS extension plugins, in particular for applications based on SPIP or Wordpress.
We would be happy to assist SMEs to allow them to develop their own SaaS system and adapt their web applications.
Our positioning of advice and assistance would allow our customers to developp their applications independently of expensive external providers. And third-party systems that are risky in terms of security : why feed big data to the benefit of your competitors ?