SaaS Manager - Edge Security Acceleration - Alibaba Cloud Documentation Center

The SaaS Manager in Edge Security Acceleration (ESA) lets you add your customers' custom domains, such as app.customer.com, to your existing ESA website. This seamlessly extends your site's security and acceleration capabilities to your end customers, enhancing their brand trust while simplifying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate management and security policy configuration for customer domains.

Benefits

Service scalability: Configure a unique custom domain for each customer, delivering a branded experience that enhances customer trust.
Centralized management: All customer domains inherit the security policies of your primary ESA site, including WAF protection, Bot Management, and Access Control. This centralizes risk management and reduces operational complexity.
Content acceleration: Customer domains benefit from Alibaba Cloud's global network of points of presence (POPs) to achieve low-latency, high-availability content delivery. This significantly improves access speed for end users.
Certificate management: Choose from three SSL/TLS configuration options to balance convenience and compliance: free certificates automatically provisioned by Let's Encrypt, custom certificate uploads, or referencing an existing Alibaba Cloud Certificate.
Automated validation: The feature supports both CNAME and DNS TXT records for domain ownership validation. The validation process is clear and simple, ensuring valid domain ownership.
Real-time status monitoring: Monitor the real-time status of your domains. Statuses include Pending Validation, Activated, Deactivated, and Conflicted. This helps with troubleshooting and governance.
ICP filing compliance: Includes an ICP filing check for services in the Chinese mainland to ensure compliance with local regulations.

Use cases

SaaS Manager uses CNAME records to associate your end customers' custom domains with your existing site in ESA. This process routes all traffic for the custom domains through ESA. Common use cases include:

Multi-tenant domain hosting for SaaS platforms: A CRM system service provider (SP) wants to offer dedicated subdomain access for its enterprise customers, such as customer-a.crm-platform.com. The provider also needs to ensure these domains have HTTPS encryption and protection against attacks. The SaaS Manager allows the provider to centrally configure the origin server, certificates, and security policies for all customer domains.
Branded customer portal acceleration: An e-commerce platform provider that hosts custom storefronts for clients, like shop-client.example-store.com, needs to quickly enable CDN acceleration and SSL/TLS encryption. SaaS Manager allows the provider to deploy these features without altering the customer's existing DNS structure.
Secure proxy for third-party application integration: A developer tools platform offers an API gateway service for its plugin developers, which allows them to attach their own domain names. The SaaS Manager allows the platform to apply unified identity authentication, throttling, and traffic scrubbing to all connected domains.

Configure a custom domain name for a SaaS customer

Follow this example to add a customer's custom domain with zero downtime.

Scenario

A SaaS provider has onboarded the site example.com to ESA and serves content from the origin origin.example.com. The provider now wants to add a customer's domain, custom.site.com, to the site to improve the customer's website security and performance.

Procedure overview

Add a custom domain name: Add a new SaaS Manager to your ESA site and add the customer's domain, custom.site.com.
Validate domain ownership: Provide the validation information to your customer. The customer configures a TXT record with their DNS provider to complete the validation.
Configure a CNAME record: Provide the CNAME address to the customer. The customer then switches their domain's DNS resolution to this CNAME address to route traffic to ESA.
Verify the configuration: After the configuration is complete, verify that it is working correctly.

Step 1: Add a custom domain name

In the ESA console, choose Websites. In the Website column, click the target site.
In the navigation pane on the left, click DNS > SaaS Manager > Add SaaS Manager.
On the Add SaaS Manager page, configure the following parameters:
- Domain Name: Enter the custom domain name. In this example, enter custom.site.com.
- SSL/TLS: Enable SSL/TLS for the custom domain name. Once enabled, you can select a certificate type.
  - Certificate Type: Select Free Certificate. ESA automatically configures an edge certificate for the domain name.
- DNS Record: Select the DNS record of the service provider to bind. In this example, select origin.example.com.

Step 2: Verify custom domain ownership

On the SaaS Manager page, click the icon to the left of the newly added custom domain name to expand the validation information. Copy the Domain Validation TXT Name and Domain Validation TXT Value.
Go to the DNS provider for the custom domain name. Add a DNS record of the TXT type using the Domain Validation TXT Name and Domain Validation TXT Value that you copied in the previous step.
After you add the record, wait for the DNS change to propagate. Then, return to the ESA console and click the Verify button. Wait until the Status column changes to Activated.

Step 3: Configure a CNAME record

On the SaaS Manager page, click the icon to the left of the newly added custom domain name to expand the validation information. Copy the CNAME Address.
Go to the DNS provider for the custom domain name. Add a DNS record of the CNAME type using the CNAME Address that you copied in the previous step:
- Host Record: Enter the prefix of the custom domain name, which is custom.
- Record Type: Select CNAME.
- Record Value: Enter the CNAME Address that you just copied.

Step 4: Verify the configuration

After the configuration is complete, navigate to https://custom.site.com in your browser. If the website loads correctly, the custom domain name has been successfully added and is served by ESA.

Wait for the Certificate Status to change to Normal before you access the site using HTTPS. While the certificate is being issued, you can test the configuration by accessing http://custom.site.com.

SaaS Manager status descriptions

Status	Description
Pending Verification	You have not yet validated ownership of the customer's custom domain name. For more information, see Step 2: Verify custom domain ownership to complete the configuration. Then, click the Verify button for the system to re-verify.
Activated	The SaaS Manager is operating normally.
Deactivated	This status occurs in the following situations: If the system detects that the custom domain name is involved in prohibited activities, the domain will be blocked. The SaaS Manager status will change to Deactivated. For sites with an acceleration region in the Chinese mainland or Global (including the Chinese mainland), if your site or the customer's custom domain name has not completed ICP filing, the domain will be in the Deactivated state. After completing the ICP filing, click the Verify button to have the system re-verify and restore the service.
Conflicted	Default site records have a higher priority than the SaaS Manager. When your domain is in the Activated state, if any of the following situations occur, the domain status changes to In Use. The domain cannot provide service in this state. An A/AAAA or CNAME record that conflicts with the domain name is added to any activated site, or in the case of an origin pool and load balancing. For example, if an activated domain `customer.example.com` exists, and an activated site `example.com` also exists, adding a record for `customer.example.com` or `.example.com` changes the domain status to Conflicted. You can delete the conflicting record and then click the Verify* button for the system to re-verify.

Availability

Feature	Entrance	Pro	Premium	Enterprise
Number of SaaS Managers supported	5	20	100	Contact sales for custom plans