Integrate with Feishu

Process overview

Connecting IDaaS to Feishu requires four steps:

1. Application permission configuration: Configure the required permissions for your application on the Feishu Open Platform to access necessary data and features.

2. Development configuration: Configure development settings in the IDaaS console, such as the callback URL and application credentials.

3. Scenario selection: Select the appropriate integration scenarios and authentication methods based on your business needs.

4. Field mapping: Configure the mapping between Feishu user attributes and IDaaS user attributes to ensure correct data synchronization.

Use cases

After you connect to Feishu, you can use the following capabilities.

Connect to Feishu

In the IdPs menu, click Other IdPs > Feishu to start the connection process.

Step 1: Configure application permissions

1. Create a Feishu application.

   1. Go to the Feishu Open Platform, log on to the developer console, and create a custom enterprise application.

   2. After the application is created, its details page opens automatically. Click Credentials & Basic Info to obtain the App ID and App Secret.

2. Enter the obtained App ID and App Secret in IDaaS.

3. On the Feishu application details page, click Permission Management > Enable Permissions. In Contacts, grant the following permissions. These permissions grant read access to Contacts and are required for data synchronization and user login. In the dialog box that appears, switch to the Application Identity Permissions tenant_access_token tab. In the filter area on the left, select the Contacts category, select the checkboxes for the required permissions, and then click Enable Permissions. The permissions that you need to enable are as follows:

   Permission	Value	Description
   Obtain basic contact information	contact:contact.base:readonly	--
   Obtain user ID	contact:user.employee_id:readonly	--
   Obtain basic department information	contact:department.base:readonly	--
   Obtain department organizational structure information from contacts	contact:department.organize:readonly	After applying for this permission, you must submit a version release application for review. The permission takes effect only after approval.
   Obtain basic user information	contact:user.base:readonly	--
   Obtain user organizational structure information	contact:user.department:readonly	After applying for this permission, you must submit a version release application for review. The permission takes effect only after approval.
   Obtain user email addresses	contact:user.email:readonly	This permission is optional. Enable it only if you need to synchronize this field to IDaaS.
   Obtain user mobile phone numbers	contact:user.phone:readonly	After applying for this permission, you must submit a version release application for review. The permission takes effect only after approval. This permission is optional. Enable it only if you need to synchronize this field to IDaaS.

   Note

   After you submit the release application, Feishu notifies the administrators, who must then review it in the Feishu Admin Console.

4. Enable Feishu data permissions.

   1. In the Permission Management section, go to Accessible Data Range and click Configure.

   2. Select permissions based on your requirements. This scope determines which user and organization data can be synchronized to IDaaS and used for logon with Feishu. Select Consistent with the app’s available scope, and then click Save.

5. Submit in IDaaS. After you complete the permission configuration in Feishu, click Next in IDaaS. IDaaS then verifies the API and data permissions. Once all required permissions are confirmed, you can proceed to the next step.

Step 2: Development settings

1. Enter basic information.

   1. Enter the Display Name.

   2. Enter the Enterprise ID. You can obtain the enterprise ID from the Feishu Admin Console.

      In the left-side navigation pane of the Feishu Admin Console, choose Enterprise Management > Enterprise Overview. You can find the Enterprise ID (starts with FE) below the enterprise name at the top of the page.

2. Configure development information.

   1. Redirect URL.

      1. View in IDaaS. The Redirect URL processes user logon requests. In IDaaS, go to the Development Configuration page, find the Redirect URL field, and copy both displayed URLs.

      2. Feishu configuration. In the Feishu application details, enter the URL in the Security Settings > Redirect URLs field. Then, click Add.

   2. Application homepage.

      1. View in IDaaS. On the Development Configuration page in IDaaS, find the Application homepage field and copy the URL. This homepage is required to enable SSO from the Feishu workbench to the IDaaS user portal.

      2. Feishu configuration. In the Feishu application details, go to the Add Application Capability section and add Web Application. In the left navigation bar, click Add App Features. On the Add by Feature tab, find the Web App card, and click the + Add button below it.

         After adding the capability, on the web application configuration page, enter the copied URL in the Desktop homepage and Mobile homepage fields. In the Open method configuration section, select Open in a new tab in Feishu (recommended) or Open in browser. Then, click Save.

   3. IP whitelist.

      1. View in IDaaS. After selecting Shared endpoint or Dedicated endpoint, the corresponding egress IPs are displayed. Click Expand to view the full IP list. Click Copy in the format required by Feishu to copy the IPs.

         • Shared endpoint: A shared endpoint is the default network endpoint used by an EIAM instance for network access. All EIAM instances share this endpoint. It supports public internet access only.

         • Dedicated endpoint: A dedicated endpoint is a network endpoint exclusively used by your EIAM instance. With a dedicated endpoint, you can use a dedicated IP address for data synchronization and delegated authentication with Feishu. For more information about dedicated endpoints, see Network endpoints.

      2. Feishu configuration. If you want to restrict network access based on IP addresses, copy the egress IP list of IDaaS and add it to the Feishu Application Security Settings > IP allowlist by using Batch Modify.

Step 3: Select scenarios

Select the scenario capabilities that you want to use.

Capability description

• Synchronization target: Select Alibaba Cloud IDaaS from the drop-down list. The contact data from Feishu is imported to this node in IDaaS.

• Scheduled verification: By default, IDaaS performs a full synchronization of Feishu data every day at midnight to ensure data consistency. You can use field mapping to specify matching rules between IDaaS accounts and Feishu users, for example, by matching account names to user IDs. If a match is found, the existing binding is updated. Otherwise, a new account is created. For real-time synchronization, you can manually trigger a full synchronization task. The system includes a built-in protection mechanism that automatically stops the synchronization if it detects that more than 30 accounts or 10 organizations are being deleted. This prevents accidental data loss. We recommend adjusting this threshold based on the size of your organization.

• Scheduled verification cycle: The synchronization cycle is set to once per day by default, but you can customize the time by using a cron expression.

• Incremental synchronization: This feature is disabled by default and must be enabled manually after you complete the connection. Incremental synchronization cannot be enabled if event notifications are not configured. To enable it, you must first configure event notifications by modifying the identity provider settings.

  • On the Identity Providers page, find the Feishu application you created and click Modify.

  • In the Event Configuration section, enter the Encrypt Key and Verification Token. You can obtain these values from the Events & Callbacks > Encryption Strategy section of your Feishu application details. After the modification, the Event Configuration page displays the Encrypt Key, Verification Token, and Request URL fields, and the Add Event area below lists the subscribed events: contact.department.created_v3 (department created), contact.department.deleted_v3 (department deleted), contact.department.updated_v3 (department information changed), contact.user.created_v3 (user created), contact.user.deleted_v3 (user deleted), contact.user.updated_v3 (user information changed), and contact.scope.updated_v3 (contact scope permissions updated).

  • Enter the Request URL in the Events & Callbacks > Configure Event section of the Feishu application details, and enter this URL in the request URL field for sending events to the developer's server. In the left navigation bar of the Feishu application details page, click Events & Callbacks and select the Event Configuration tab. For Subscription Method, confirm that "Send events to developer server" is selected, and enter the server callback URL in the Request URL input box.

• QR code logon: After enabling this feature, the IDaaS logon page displays an option to log on by using a Feishu QR code. Users can scan the QR code to authenticate. If the application homepage is also configured, users can access IDaaS directly from the Feishu workbench via SSO.

Step 4: Field mapping

To link existing Feishu members or departments to your IDaaS accounts or organizations, you must configure field mapping in this step. You can also map specific Feishu fields to IDaaS account attributes, such as using a Feishu user's name as the display name for their IDaaS account.

Manage the Feishu identity provider

After completing the connection, you are redirected to the IdPs menu, where you can manage the new identity provider's integrated features.