Azure Marketplace SaaS integration


Hello I’m Ercenk Keresteci. I’m
on the Azure industry Experiences team here at
Microsoft. I am an architect working primarily with
manufacturing software vendors and during my daily job. I work
with those teams to make sure that they are making the best
use of Azure services. In order to explain my
experiences when integrating with Azure marketplace. I
decided to build a sample to demonstrate how the marketplace
integration works and also I heard multiple different
scenarios where the onboarding of new customer provisioning. A
new customer is usually a manual manual process for a solution or
there is not a full integration possibility because of a manual
process like checking in ITAR compliance checking the
compliance of a customer. Or places where in operational
team needs to be involved to go through certain manual
processes. There are also areas that the provisioning needs to
be out of band, meaning that we cannot really have direct
synchronous automated process. But there needs to be an
notification mechanism. In between such as a messaging
queue, so there is still automated processing or
automated provisioning happening. However, now the
automated provisioning solution is a standalone solution which
expects notifications to be sent to it. For those cases if there
is no need to implement the Cancel or Update operation on
the solution’s UI, I put together a sample to
demonstrate how that end-to-end process works. Let’s go through
the experience of the subscriber wants to subscribe to your offer
that he or she finds on Azure marketplace, the subscriber. Is on Azure marketplace site
selects the offer and then click subscribe. What happens then is
that the subscriber is going to get redirected to the landing
page that you had registered before and on the landing page.
You’re expected to authenticate incoming user using Azure AD. And potentially asking for
consent like it is here to access other information. The
customer controls so in this case. The customer is being
asked to access his or her graph API, so the landing page. Can
grab the details like the email address and a full name. The
other thing that you can ask here at this landing page is that
supposing that you want to on board customer and provision new
resources on your side for that customer things like. The region, the customer wants
to deploy or wants to address 2 or things like number of things
to manage your solution. During the first initial steps
now we talked about capturing the initial intent for a
subscriber to subscribe to our offer an we mention that intent
is captured on the landing page, so in fact. This is one of the places that
publisher needs to implement or publisher needs to spend some
time on to expose that end point to Azure Marketplace site, Azure
during during the creation of the offer. The publisher needs
to provide a URL to this landing page that we just looked at and
also we expect the publisher to implement the Azure AD
authentication, so subscriber provides the details on
this landing page. And that’s how the captured
intent is captured. One thing that’s important here is the AD
authentication. Azure Active Directory authentication. Notice
that the landing page is going to be used by multiple different
customers. Coming from different Azure AD tenants so by
definition it goes without saying the landing pages
authentication mechanism should be multi tenant. We also
mentioned during the demo that there is a part where we display. The subscription ID
offer ID the subscriber selected, and the plan ID in
order to get those details. The application needs to make
a call out to the Azure marketplace fulfillment API.
The Azure Marketplace fulfillment API should be
called by grabbing authentication token from
Azure Active Directory. At this point, let’s look at the
moving parts in the basic scenario and how this dance with
Azure marketplace, solutions landing page, etc works so the
first thing is, we’re going to look at how the activation of a
subscription worked with that scenario that I just
demonstrated we’re assuming the subscriber is on the Azure
Marketplace side, and then decide to subscribe to offer
once the subscriber. Completes the operation their
subscriber is going to be redirected to the landing page.
So that was the point that where we had actually started looking
at the demo. The landing pages going to authenticate incoming
user against Azure AD. So the landing page. Can call APIs like
graph API or any other APIs that are controlled by the customer.
So we can learn other details. For instance, for other details.
For our customer for instance, from graph API. So, in this case in the sample,
we use the graph API to get the email address and also the full
name of the customer. The next thing. The sample does is to go
and grab an authentication token from Azure AD, so that the
sample can call the marketplace fulfillment API, the capitalized calls here from
the sample to the marketplace. API denote the marketplace. API
calls there is a marketplace. API called resolve which
basically given marketplace token. We can go ahead and
grab the details of that subscription. Such as the
subscription name. The offer ID and the plan ID the sample at
this point goes ahead, and gets those details from marketplace
fulfillment. API populates the landing page form and then
presents the landing page to the subscriber that was the time
that was the place that where we see the form. So the subscriber
can enter the other details such as the region or in this sample
number of things to manage once the subscriber completes
landing page form, they form is submitted what happens again
under the hood is that generates a notification
request, so in this case, we are using an email notification
service. When the operation team clicks
on the “Activate” link on the email. What happens is that the
sample grabs an authentication token from Azure AD. And activates the
subscription. Ativating the subscription means that now the
publisher is signaling Microsoft. So Microsoft can
start billing the subscriber. In the case of a cancel or
update event happening from the Azure Marketplace side or from
the subscribe side, what happens is that the subscriber gives
that intent to Azure marketplace. That generates a
notification on the web book. So the sample receives the
notification on the Web Hook and again that triggers another
notification and in this case. An email back to the operations
team and operations team take the required action. Or this particular instance and
again the same thing happens here. The operations team
clicks a link that will result that will result with sample
asking for authentication token so the sample can call the
marketplace for fulfillment API for the appropriate operations
such as update or delete. Wanting to highlight is that
the time between receiving an email and the operation team
is actually going ahead an provision. The customer an on
boarding the customer. It may take a little bit longer, so
that’s why we are using the email. We expected to be. If could take a few hours or a few days. But
if it is a longer process. There is the advanced scenario that I
also cover in the sample that I’d like to get your attention
to and with that advanced sample. We are changing the
workflow a little bit what may be the case that what should
require main be your operation teams longer time, let’s say
weeks where the operations team or the publisher team visits the
customer on site. So so that they can complete the
configuration of the solution etc. So in this case what we
want to do is that we want to complete. The subscription
process as fast as possible so the customer knows that there is
a subscription in place on the Azure marketplace. However, we
really don’t want to charge the customer during that period so
for that what I suggest is that let’s assume your subscription
has 3 different levels. I’m sorry your offer has 3 different
levels like silver, gold and platinum. So what I suggest is that you add a fourth plan with
$0.00 cost and then grab the intent of the subscriber for the
plan level. So in this case. Let’s say gold, however,
activate the subscription change the subscription to
basic so the customer knows that you’re working on it, and and as
your operations team completes the provisioning. The operations
team then come back and say we are done. Then again, the same thing happens. Click on the link
on the email etc. And at this time, then you can go ahead, an
update. The subscription to the initially intended plan. You can
find the extended and very detailed documentation about
creating a SaaS offer on the documentation page. So just
search for SAS software creation checklist and you’re going to
see the technical configuration page and then you may notice
that these are the 3 pieces of information, I mentioned before. So you need to register a
landing page. URL connection web hook and then identify the
application Azure AD application that you are using
for calling out the Azure marketplace. APIs the Azure.
Full fulfillment API marketplace fulfillment. API documentation
is also extensively documented here on this page and of course
in this sample, I made use of these 2 and I have 2 pieces or
2 different repos. That I implement the sample with
so one is an API client. The API client is also available on
Nuget And as I see new features. I’m constantly updating this
client. The sample is living under ContosoAmpbasic you can
grab the code here wanting to highlight is that these 2 repos are. Samples only so if you want to. Build your code, please
use them as examples. These are not meant to be production
ready code. But just demonstrating the ideas and
are demonstrating the concepts. My recommendation is to register
2 applications on Azure Active Directory, one is for logging on
the subscriber on the landing page and the other is for
calling out the marketplace. APIs so on the landing page. You
want to have your application registered AD application
registered as multi tenant and again just to repeat goes
without saying that you are going to have customers logged
on to different Azure AD. Tenants so you want to make sure
that you can authenticate the incoming users. Coming from
different tenants, so this application. That’s why needs to
be multi tenant. This application also may access.
Other resources and subscribe subscriber has control. Let’s
assume for instance, that you want to go ahead and provision.
Some other resources on the subscriber’s Azure subscription,
so you may want to ask for consent from the user to grant
rights to the applications to go and call the Azure marketplace.
API on behalf of the incoming user in this point in order to
implement this you can use Microsoft provided library like
Microsoft Authentication Library MSAL, and for the endpoint AD
endpoint you can use Azure AD endpoint version 2. When you were making the calls
to the marketplace. APIs, however, your application.
You’re registered application can be singled out and I
recommended to have single tenant just so that you can
reduce the surface. In this point, you will need to
use Azure AD. Version 1 endpoint because the way the
authentication. Token is received is that it’s using a
resource as opposed to a scope so resource is hard coded an it’s
provided on the documentation page. So that you can grab that
authentication token for accessing that resource, which
means in this case is that if we’re going to be using a
Microsoft provided library. You will need to use or you can
use ADAL instead of MSAL and then grab the token or you can
of course, go ahead and use the HTTP endpoint directly.

Leave a Reply

Your email address will not be published. Required fields are marked *