tencent cloud

This document describes how to use Employee Identity and Access Management (EIAM) and SSL VPN to implement access control to improve your business security.

Note：

• Currently, the SSO authentication feature is in beta testing and available only in the Singapore region. To use the feature, please submit a ticket for application.
• The Tof SAML secret-free login portal is accessible only to Tencent internal users.

Process

EIAM Verification Configuration

This section describes the main steps for configuring EIAM verification.

Configuring the authentication source

Note：

1. Make sure that you have obtained your metadata.xml file from Tof SAML.
2. If you encounter any issues, please submit a ticket for assistance.

1. Log in to the EIAM console and click Auth Source Management on the left sidebar. On the Authentication management page that appears, click Create authentication source.
   
2. Select SAML and click Next on the Create authentication source page.
3. Configure the authentication parameters on the Edit authentication source information tab.

• Jump address: Set this parameter to the value of <location> (the URL marked by Tag1 in the image below) in <singlesignonservice></singlesignonservice> in the metadata.xml file.
• Third party IDP certificate: Set this parameter to the value of <x509certificate> (the certificate marked by Tag2 in the image below) in <keydescriptor use="encryption"></keydescriptor> in the metadata.xml file.

Enable compression encoding: Toggle on the switch.

4. Click OK.


5. Click the SAML that is created in Step 4 and then click Download SAML metadata file.

6. Send the metadata.xml file that is downloaded in Step 5 to Tof Assistant on WeCom for authorization.
After the authorization is complete, you can perform the subsequent steps.

Creating a user

1. Log in to the EIAM console, select User Management > Org Management on the left sidebar and click root. On the page that appears, click Create user.
2. On the Create user page, configure the required parameters.
   The username and password configured on this page are used to log in to the Tencent Cloud Client VPN Self-Service Portal.

Creating a user group and adding members

1. Select User management > User group management on the left sidebar. On the User group management page, click Create user group, configure the parameters, and click OK.
2. In the section of the created user group, click Add user.
3. On the Add user page that appears, add members to the user group and click OK.

Creating an EIAM application

1. Select App Management on the left sidebar and click Create through application marketplace. Then select OpenVPN and click Next: Edit application information.
2. On the Edit application information tab, enter the relevant information as prompted and click Next: Complete.

Authorizing the EIAM application

1. Select App Authorization on the left sidebar and then click User group authorization > Add authorization.
2. On the Add Authorization page, select the EIAM application just created and click Next: Select user group.
3. On the Select user group tab, select the user group to be authorized and click Next: Complete.

SSL VPN Configuration

Creating an SSL VPN gateway

1. Log in to the VPC console and select VPN Connections > VPN gateway on the left sidebar to enter the management page.
2. On the VPN gateway management page, click + New. On the Create VPN gateway page, configure the SSL VPN gateway parameters.
3. Click Create.

Creating an SSL VPN server

1. Select VPN Connections > SSL VPN Server on the left sidebar to enter the admin page.
2. On the SSL VPN server management page, click + New. In the Create an SSL VPN server pop-up window, configure the SSL VPN server parameters.

   Parameter	Configuration
   Name	Enter the SSL VPN server name (up to 60 characters).
   Region	Display the region of the SSL VPN server.
   VPN gateway	Select an existing VPN gateway.
   Server IP range	Tencent Cloud IP ranges accessed by mobile clients.
   Client IP Range	Enter the IP range assigned to the mobile client for communication. The IP range shall not conflict with the VPC CIDR block of Tencent.
   Protocol	Transmission protocol of the server.
   Port	Enter the SSL VPN server port used for data forwarding.
   Verification algorithm	Supported authentication algorithms: SHA1 and MD5.
   Encryption algorithm	Supported encryption algorithms: AES-128-CBC, AES-192-CBC, and AES-256-CBC.
   Compressed	No.
   Access control	Enable it. Note To use this feature, please submit a ticket for application.
   Verification method	Select Certificate verification + Identity verification.
   EIAM application	Select an application that is created in EIAM.

Configuring an access control policy

1. Select VPN Connections > SSL VPN Server on the left sidebar to enter the admin page.

2. In the SSL VPN server list, click the ID of the target instance.

3. On the SSL VPN server details page, click Access control > Add policy and configure the policy information as prompted.

   Parameter	Configuration
   Destination	Enter the local IP range, that is, IP range for accessing the cloud. Note The destination IP range needs to be in the same IP range as the local IP range. If you change the local IP range, you need to modify the destination address of the access control.
   Access permission	Select Specific user group. After selecting this option, you need to configure the access group ID.
   Access group ID	Select a user group to be granted the access permission.
   Remarks	Enter the policy remarks, which are required and make it easier for you to find the policy.

4. Click OK.

Creating an SSL VPN client

1. Select VPN Connections > SSL VPN Client on the left sidebar to enter the admin page.
2. In the Create an SSL VPN client pop-up window, specify a client name, select the SSL VPN server to which you want to connect, and click OK.

Downloading an SSL VPN Client Configuration File and Client on the Client VPN Portal

1. Log in to the Tencent Cloud Client VPN Self-Service Portal.
2. In the SSL VPN server ID input box, enter the ID of the created SSL VPN server and click Next to access the login page.
3. Log in to the Tencent Cloud Client VPN Self-Service Portal.
   If you configured an authentication source in EIAM and added the authentication source to the user group that can access resources in the cloud, click and then click Jump to authentication (SAML) to enter the page on which you can download the SSL VPN client configuration file and the SSL VPN client.
4. In the Download SSL VPN client configuration file section, find the target configuration file and click Download.
5. In the Download SSL VPN client section, find an appropriate SSL VPN client and click Download.
   
   This document takes macOS as an example. After you click Download, you will be redirected to the official website of OpenVPN, where you can download the client.

Installing and connecting the SSL VPN client

1. Decompress the installation package locally and double-click the installer to install the client as prompted.
   
2. Upload the SSL VPN configuration file that you have downloaded.
   After the configuration file is successfully uploaded, the client automatically connects to the SSL VPN server.