DocsICP FilingConsole
官方文档
首页

Connect to DingTalk identity provider

更新时间:
复制 MD 格式
产品详情
我的收藏

SASE enforces security policies based on identity. If your enterprise already uses a DingTalk identity provider to manage its organizational structure, you can integrate it with SASE, which eliminates the need to create new identities for your employees. After the integration, employees can use their existing DingTalk accounts to log in to the SASE App for work. This article describes how to connect to a DingTalk identity provider.

Limitations

You can enable a maximum of five identity providers at the same time (only one custom identity provider can be enabled at a time). If you have already enabled the maximum number of identity providers, you must first disable an existing one before you can enable another one.

Configure and enable DingTalk identity provider

  1. Log on to the SASE console.

  2. In the left-side navigation pane, choose Identity Authentication > Identity Access.

  3. On the Identity synchronization tab, click Create IdP.

  4. In the Create IdP panel, select DingTalk, and then click Configure to complete the configuration in the wizard.

  5. In the Basic Configurations step, configure the following parameters.

    Parameter

    Description

    IdP Name

    Enter a name for the identity provider.

    The name must be 2 to 100 characters long and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).

    Description

    Enter a description for the configuration.

    This description appears as the login title in the SASE client, helping users identify the identity provider.

    IdP Status

    Configure the status for the identity source. The valid values are:

    • Enabled: The identity source is enabled after it is created.

    • Closed: The identity source is disabled after it is created.

      Important

      If you disable an identity source, end users cannot use the SASE app to access internal applications. Proceed with caution.

    CorpId

    The unique ID of your enterprise in DingTalk. Obtain this ID from the homepage of the DingTalk Open Platform.

    AppKey

    The AppKey for your application in the DingTalk Open Platform. Find the AppKey on the application's Credentials and Basic Information page on the DingTalk Open Platform.

    AppSecret

    The AppSecret for your application in the DingTalk Open Platform. Find the AppSecret on the application's Credentials and Basic Information page on the DingTalk Open Platform.

    Advanced Settings

    DingTalk Type: Select DingTalk Standard or Dedicated DingTalk.

    Event Subscription: After you configure event subscription, organizational structure changes in DingTalk are synchronized to SASE in real time. This keeps SASE security policies effective when employee details change, for example, due to organizational adjustments or employee departures.

    • AES Encryption Key

      Obtain the AES encryption key from the Event Subscription page of your application on the DingTalk Open Platform.

    • Encryption token

      Obtain the encryption token from the Event Subscription page of your application on the DingTalk Open Platform.

    Automatic Synchronization

    After you enable the Automatic Synchronization switch, the system will automatically synchronize relevant information from DingTalk based on the synchronization mode.

    If you do not enable Automatic Synchronization, you must manually synchronize the organizational structure. For more information, see View synchronization records.

    Synchronize User Information

    After you enable the Synchronize User Information switch, the system automatically synchronizes employee information from DingTalk based on the Automatic Synchronization Cycle.

    Note

    If the Automatic Synchronization feature is disabled, the Synchronize User Information function does not run.

    Automatic Synchronization Cycle

    Set the Automatic Synchronization Cycle. You can set an automatic synchronization to run every 1 to 24 hours.

    Logo

    Upload a custom logo.

    The following URLs are also provided for configuration. You can copy them from the panel.

  6. Click Connectivity Test. If the test is successful, click Next.

    Note

    If a Connection Failed message appears, verify that the server address and port are correct.

  7. In the Synchronization Settings step of the wizard, configure the synchronization scope for the organizational structure and the field mappings. Then, click Ok.

    Parameter

    Description

    Organizational Structure Synchronization

    Specifies the scope for organizational structure synchronization.

    • Synchronize All: Synchronizes the entire organizational structure from DingTalk to SASE.

    • Partially Synchronize: Allows you to select specific organizational units to synchronize.

    Field Synchronization Mapping

    Maps the fields of the DingTalk organizational structure to the corresponding fields in SASE.

    Note

    If the built-in fields under Local Field After Mapping in SASE do not meet your business needs, you can click View Extended Fields in the upper-right corner of the list. In the View Extended Fields panel, you can add, edit, or delete extended fields.

View synchronization records

  1. On the Identity synchronization tab, find the identity source that you added and click Synchronize Records in the Actions column.

  2. On the Synchronize Records page, view the information synchronization records for the identity source.

  3. In the Synchronization Task section on the left, click a specific task to view its synchronization details in the list on the right.

    image

  4. In the Actions column for a task, click Details to view the field information for the Third-party Data Source and SASE Data Source.

Manual synchronization

If you did not enable Automatic Synchronization when you configured the identity source, or if your directory structure has changed, you must synchronize the information manually. Click Create Synchronization Task and then click OK. After the synchronization task is complete, you can view the synchronization records.

Note

After the synchronization is successful, you can view the synchronized organizational structure and user information on the Identity Authentication > Identity Access > Employee Center tab. For more information, see Employee Center.

Disable automatic synchronization

  • On the Identity synchronization tab, find the identity source that you added and turn off the switch in the Automatic Synchronization column.

  • In the Edit IdP panel, turn off the automatic synchronization switch.

Edit DingTalk identity provider

On the Identity synchronization page, find the DingTalk identity provider and click Edit in the Actions column.

Disable DingTalk identity provider

On the Identity synchronization tab, find the DingTalk identity provider and turn off the switch in the IdP Status column.

Delete DingTalk identity provider

On the Identity synchronization page, find the DingTalk identity provider and click Delete in the Actions column.

Related topics

Best practices

Secure access for LDAP users by using SASE

Configure a custom identity provider

If your organization does not use an external identity provider, you can build your organizational structure by using the custom identity provider in SASE. For more information, see Connect to a custom identity provider.

Connect to third-party identity providers

If your organization uses LDAP, DingTalk, WeCom, Lark, or IDaaS to manage its organizational structure, you can connect your identity provider to SASE to import identity information.

Configure user groups

If you need to create user groups outside your organizational structure, see User group management.

Previous:Connect to an LDAP identity providerNext:Connect a WeCom identity source