Skip to main content

Tutorial: Use CloudConnexa with a mix of authentication methods

Abstract

This tutorial shows how to use CloudConnexa with different authentication methods for different users.

Overview

Owen, the Network Admin, for a fintech company already uses CloudConnexa to provide employees access to private resources and applications on AWS. Their product team is developing a new application on AWS and wants to grant an external company access to the application for a security audit.

Owen has configured CloudConnexa to use SSO authentication with Okta using SAML. Owen does not want to onboard the external company's consultant as an employee in Okta. He wants them to access AWS using their true identities with the email address provided by the external company (for example, bob@securityconsultants.com).

Owen wants to figure out a way to use CloudConnexa to authenticate the external consultants using email, password, 2FA while continuing to authenticate employees with Okta.

Setup

Owen decides that the best approach is to use the mulit-WPC feature to create a separate virtual overlay network for the external company consultants and use the Application Sharing feature to provide them access to the private application.

He follows the steps below:

  1. Owen creates a new WPC with a Cloud ID of security_consultants for the external company.

  2. He enables 2FA for user authentication and uses the local CloudConnexa authentication method.

  3. He adds the authorized consultants as users to the security_consultants WPC using their email addresses.

  4. He switches the Administration portal from security_consultants WPC to the different WPC used by his employees, which uses SAML authentication, and shares the AWS application with security_consultants WPC.

  5. He switches back to the Administration portal of security_consultants WPC and navigates to AppHub. He sees the App Client tab of AppHub open. The shared application will be in the Awaiting Approval section, and he clicks the Accept button.

The security consultants will receive an invitation email with their username, a temporary password, and instructions to download the Connect app and connect to security_consultants.openvpn.com WPC. When they connect to the CloudConnexa Region nearest to their location, they can access the shared AWS application. At the same time, the employees continue to authenticate with Okta and use their usual WPC.

By using Application Sharing to isolate external company employees in their own WPC, Owen mitigates lateral movement. He can configure other zero-trust controls, such as location context, device posture, and access groups, as appropriate.

In this section: