This document describes how to use Employee Identity and Access Management (EIAM) and SSL VPN to implement access control to improve your business security.
- Currently, the SSO authentication feature is in beta testing and available only in the Singapore region. To use the feature, please submit a ticket for application.
- The Tof SAML secret-free login portal is accessible only to Tencent internal users.
EIAM Verification Configuration
This section describes the main steps for configuring EIAM verification.
Configuring the authentication source
- Make sure that you have obtained your metadata.xml file from Tof SAML.
- If you encounter any issues, please submit a ticket for assistance.
- Log in to the EIAM console and click Auth Source Management on the left sidebar. On the Authentication management page that appears, click Create authentication source.
- Select SAML and click Next on the Create authentication source page.
- Configure the authentication parameters on the Edit authentication source information tab.
- Jump address: Set this parameter to the value of
<location> (the URL marked by Tag1 in the image below) in
<singlesignonservice></singlesignonservice> in the metadata.xml file.
- Third party IDP certificate: Set this parameter to the value of
<x509certificate> (the certificate marked by Tag2 in the image below) in
<keydescriptor use="encryption"></keydescriptor> in the metadata.xml file.
Enable compression encoding: Toggle on the switch.
4. Click OK.
5. Click the SAML that is created in Step 4 and then click Download SAML metadata file.
6. Send the metadata.xml file that is downloaded in Step 5 to Tof Assistant on WeCom for authorization.
After the authorization is complete, you can perform the subsequent steps.
Creating a user
- Log in to the EIAM console, select User Management > Org Management on the left sidebar and click root. On the page that appears, click Create user.
- On the Create user page, configure the required parameters.
The username and password configured on this page are used to log in to the Tencent Cloud Client VPN Self-Service Portal.
Creating a user group and adding members
- Select User management > User group management on the left sidebar. On the User group management page, click Create user group, configure the parameters, and click OK.
- In the section of the created user group, click Add user.
- On the Add user page that appears, add members to the user group and click OK.
Creating an EIAM application
- Select App Management on the left sidebar and click Create through application marketplace. Then select OpenVPN and click Next: Edit application information.
- On the Edit application information tab, enter the relevant information as prompted and click Next: Complete.
Authorizing the EIAM application
- Select App Authorization on the left sidebar and then click User group authorization > Add authorization.
- On the Add Authorization page, select the EIAM application just created and click Next: Select user group.
- On the Select user group tab, select the user group to be authorized and click Next: Complete.
SSL VPN Configuration
Creating an SSL VPN gateway
- Log in to the VPC console and select VPN Connections > VPN gateway on the left sidebar to enter the management page.
- On the VPN gateway management page, click + New. On the Create VPN gateway page, configure the SSL VPN gateway parameters.
- Click Create.
Creating an SSL VPN server
- Select VPN Connections > SSL VPN Server on the left sidebar to enter the admin page.
- On the SSL VPN server management page, click + New. In the Create an SSL VPN server pop-up window, configure the SSL VPN server parameters.
||Enter the SSL VPN server name (up to 60 characters).
||Display the region of the SSL VPN server.
||Select an existing VPN gateway.
|Server IP range
||Tencent Cloud IP ranges accessed by mobile clients.
|Client IP Range
||Enter the IP range assigned to the mobile client for communication. The IP range shall not conflict with the VPC CIDR block of Tencent.
||Transmission protocol of the server.
||Enter the SSL VPN server port used for data forwarding.
||Supported authentication algorithms: SHA1 and MD5.
||Supported encryption algorithms: AES-128-CBC, AES-192-CBC, and AES-256-CBC.
||Select Certificate verification + Identity verification.
||Select an application that is created in EIAM.
Configuring an access control policy
Select VPN Connections > SSL VPN Server on the left sidebar to enter the admin page.
In the SSL VPN server list, click the ID of the target instance.
On the SSL VPN server details page, click Access control > Add policy and configure the policy information as prompted.
||Enter the local IP range, that is, IP range for accessing the cloud.
The destination IP range needs to be in the same IP range as the local IP range. If you change the local IP range, you need to modify the destination address of the access control.
||Select Specific user group. After selecting this option, you need to configure the access group ID.
|Access group ID
||Select a user group to be granted the access permission.
||Enter the policy remarks, which are required and make it easier for you to find the policy.
Creating an SSL VPN client
- Select VPN Connections > SSL VPN Client on the left sidebar to enter the admin page.
- In the Create an SSL VPN client pop-up window, specify a client name, select the SSL VPN server to which you want to connect, and click OK.
Downloading an SSL VPN Client Configuration File and Client on the Client VPN Portal
- Log in to the Tencent Cloud Client VPN Self-Service Portal.
- In the SSL VPN server ID input box, enter the ID of the created SSL VPN server and click Next to access the login page.
- Log in to the Tencent Cloud Client VPN Self-Service Portal.
If you configured an authentication source in EIAM and added the authentication source to the user group that can access resources in the cloud, click and then click Jump to authentication (SAML) to enter the page on which you can download the SSL VPN client configuration file and the SSL VPN client.
- In the Download SSL VPN client configuration file section, find the target configuration file and click Download.
- In the Download SSL VPN client section, find an appropriate SSL VPN client and click Download.
This document takes macOS as an example. After you click Download, you will be redirected to the official website of OpenVPN, where you can download the client.
Installing and connecting the SSL VPN client
- Decompress the installation package locally and double-click the installer to install the client as prompted.
- Upload the SSL VPN configuration file that you have downloaded.
After the configuration file is successfully uploaded, the client automatically connects to the SSL VPN server.