Skip to content

Connect to SaaS Applications

What is a SaaS connection?

A SaaS (Software as a Service) connection is a connection type within fidesops that allows a user to connect to a SaaS application (e.g., Mailchimp, Stripe, Slack, etc.) and execute data access and erasure requests against that application. These connections use functionality introduced in earlier sections (ConnectionConfigs and Datasets) but also use a new SaaS configuration specification to define how to connect to specific SaaS applications.

Supported SaaS applications

The current implementation of the SaaS framework can support any SaaS application that uses these features:

  • Basic auth, bearer auth, OAuth2 (Authorization Code Flow)
  • Data access via HTTP requests
  • Erasure via HTTP requests
  • Pagination based on headers and response contents

The following features are planned for future releases and will allow for the configuration of broader types of connections:

  • Custom Python functions for access and erasure requests
  • Retry logic based on status codes and response contents

Full examples of a valid SaaS config and Dataset are currently available for Mailchimp.

How to configure a SaaS connector

For convenience we've included a SaaS Connector Postman collection to execute the necessary steps to configure a SaaS connector.

  1. Create a ConnectionConfig of type saas 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    PATCH api/v1/connection

[
  {
    "name": "SaaS Application",
    "key": {saas_key},
    "connection_type": "saas",
    "access": "read"
  }
]
  2. Add a SaaS Config (in JSON format) 
    1
2
3
4
5
6
7
8
    PATCH api/v1/connection/{saas_key}/saas_config

{
    "fides_key": "mailchimp_connector_example",
    "name": "Mailchimp SaaS Config",
    "type": "mailchimp",
    "description": "A sample schema representing the Mailchimp connector for fidesops"
    ...
  3. Configure the secrets. The SaaS config must already defined to provide validation for the secrets. 
    1
2
3
4
5
6
7
    PUT api/v1/connection/{saas_key}/secret

{
  "domain": "{mailchimp_domain}",
  "username": "{mailchimp_username}",
  "api_key": "{mailchimp_api_key}"
}
  4. Add a Dataset (in JSON format) 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    PUT api/v1/connection/{saas_key}/dataset
[
  {
    "fides_key":"mailchimp_connector_example",
    "name":"Mailchimp Dataset",
    "description":"A sample dataset representing the Mailchimp connector for fidesops",
    "collections":[
      {
        "name":"messages"
    ...

Additional considerations

These are constraints enforced by the API validation but it is important to keep these in mind.

  1. A SaaS connector dataset cannot have any identities or references in the fidesops_meta. These relationships must be defined in the SaaS config.
  2. SaaS config references can only have a direction of from.
  3. The fides_key between the SaaS config and the Dataset must match. This is how we associate the two pieces together.
Back to top