Option 2: CAM-Free Sub-Account Environment Isolation Based on Internal Enterprise Systems
Applicable Scenarios
Suitable for enterprises requiring white-label/brand customization: Employees only access corporate-owned domains without exposure to Tencent Cloud; integrates with existing SSO/LDAP systems for unified login.
Solution Overview
This solution uses internal enterprise systems as an authorization middleware layer to integrate TCB login processes with corporate identity systems, eliminating the need to create Tencent Cloud accounts for each employee:
- Employees log in using internal corporate accounts (e.g., employee ID, corporate email) without the need for Tencent Cloud accounts
- All authorization processes are completed under the corporate-owned domain (
auth.your-domain.com) - The corporate internal system is responsible for maintaining the mapping relationships between employees and TCB environments
- A dedicated TCB environment is automatically created for the employee upon first login
Overall Architecture
Login Process
Responsibilities of All Parties
| Role | Responsibilities |
|---|---|
| Corporate Internal System | Employee Identity Authentication, Maintain employee↔environment mapping, Proxy device code application and rewrite authorization links to enterprise domain, Automatically create environment upon first login |
| OpenClaw | Serves as the employee operation portal, initiates login processes on behalf of employees, displays authorization links and login results |
| Tencent Cloud TCB | Provides capabilities such as environment creation, device code authorization, and temporary credential issuance |
Applicable Scenarios
- White-label/OEM requirement: Enterprises do not want employees to be exposed to the Tencent Cloud brand and provide an AI development environment with their own brand.
- Existing SSO System: The enterprise has a unified identity authentication system (LDAP, WeCom, DingTalk, etc.) and wishes to integrate login
- Compliance requirements: Necessitates the mapping relationships between employees and cloud resources to be autonomously managed by enterprises
- Granular Authorization: Enterprises wish to autonomously manage the list of environments accessible to employees
Employees perceive only the corporate brand, with TCB operating behind the scenes.