Something that keeps coming up in conversations about multi-tenant systems is the idea of a subdomain per tenant. So if I'm

<http://mysaas.com|mysaas.com>

and one of my tenants is

foocorp

, they will use

<http://foocorp.mysaas.com|foocorp.mysaas.com>

rather than

<http://app.mysaas.com/foocorp/|app.mysaas.com/foocorp/>...

Anyone has insights for why the subdomain pattern is popular and desirable? is this for specific use-cases?

Perhaps only because it makes the URL shorter, given you otherwise need a subdomain like

app

anyway

What if the subdomain is actually a redirect from your control plane DNS to services hosted in their account?

@Daniel Chaffelson I think it is sometimes implemented that way.

This is primarily useful when you want to offer your tenants to set up their own custom domains and so then they need a specific domain/subdomain to CNAME to. We do this @ HappyFox - where we provide <tenant>.happyfox.com subdomains and if they want to set up a custom domain for their account, they can simply CNAME their custom domain to their unique subdomain and this makes things pretty straight-forward.

I always wondered if it’s not just an easy “information disclosure” and like if I just want to know what says foocorp is using, I can just scrape popular SaaS for foocorp.popularsaas.whatever, wdyt about that?

As discussed above

<tenant>.<http://domain.com|domain.com>

format is useful for private and exclusive space for tenant and also easier to manage it via CNAME. But

<http://domain.com/|domain.com/><tenant>

is useful in content space or programmatic SEO focused companies (like G2, moneycontrol, or marketplace like zapier which have more than 1M pages). It easy to maintain sitemap.xml and robots.txt in that case.

<http://tenant.domain.com|tenant.domain.com>

makes routing tenants really simple.

@Tal Borenstein sounds like builtwith, I know they cover a lot of tech but not sure about saas

@Daniel Chaffelson question is what you do with customers who’s not really happy with people knowing what tech they use

The sub-domain can be a random string...

@Dave Roberts yea I know, just wondered around the question of companies who use the customer company name as subdomains. Not sure it’s even a problem but was curious what people are thinking about it.

I didn’t know that scanning/listing subdomains were possible

@Peter Hilton just think about that a potential attacker who's "interested" with your business could potentially scan major known saas providers for "yourcompany.saasprovider.com" to explore what's the attack surface

Fair enough, although to get a list of

<http://saasprovider.com|saasprovider.com>

customers you’d have to do that in reverse, which sounds like a denial-of-service attack, which escalates things somewhat

It's a quasi-DoS which won't hit the SaaS provider though.. Regardless of routing mechanism, it highlights the importance of having strong identity, isolation, and protection against noisy neighbour. If a tenant has had their credentials compromised (social vector etc.) then they will find a way to learn what SaaS products they have access.

@Tal Borenstein It depends on the nature of the application. If you see the examples I gave - all these apps are public / consumer facing and there is really no need to hide it. In our case - you can send an email to any company's support/contact address and easily figure out which helpdesk software they are running. Same goes for Shopify / Wordpress / etc.

@Pradeek J They don't need to scrap it, first they will try DNS query. If DNS is valid then they can try scrap.

DNS is unlikely to be helpful since most tenant based systems will have a wildcard DNS record. Won't really help with segregating valid vs invalid tenants.

Yes true

Many shades of SaaS, and many right answers to the same question.

Adding to the subdomain DNS argument, I feel like moving routing as far to the edge as possible has real value. You can (but don't have to) delegate routing to a service like Route 53 and achieve, just to name a few: 1. multi-regional routing 2. failover 3. different load balancing strategies 4. protect from DDoS outside your application If you do path based routing, it's going to be a lot more challenging to achieve all of the same, and in fact the routing may occur deep within your application (Like an ingress controller in k8 for example), which make an attack more impactful.