Connect to an LDAP identity provider

Limitations

You can enable a maximum of five identity providers at a time, and only one can be a custom identity provider. If you reach this limit, you must disable an existing identity provider before enabling a new one.

Configure a Windows AD/OpenLDAP identity provider

1. Log on to the SASE console.

2. In the navigation pane on the left, choose Identity Authentication > Identity Access.

3. On the Identity synchronization tab, click Create IdP.

4. In the Create IdP panel, select LDAP and click Configure. Follow the instructions in the wizard to complete the configuration.

5. In the Basic Configurations step, configure the following parameters and click Next.

   Parameter	Description
   IdP Name	Enter a name for the identity provider. The name must be 2 to 100 characters long and can contain letters, digits, hyphens (-), and underscores (_).
   Description	Enter a description for the configuration. This description is displayed as the logon title in the SASE client.
   IdP Status	Configure the status for the identity source. The valid values are: Enabled: The identity source is enabled after it is created. Closed: The identity source is disabled after it is created. Important If you disable an identity source, end users cannot use the SASE app to access internal applications. Proceed with caution.
   Type	The directory type. Valid values: Windows AD: The directory service for Windows Active Directory. OpenLDAP: An open-source implementation of LDAP.
   Server Address	The address of the AD or LDAP server. You can specify up to five addresses.
   Server Port Number	The port number of the AD or LDAP server.
   Access Authentication Server from Connector	If your LDAP authentication service is deployed in a private network, you can use a connector to establish a connection. Select an active connector instance. For more information about configuring a connector, see Use a SASE connector.
   SSL Connection	Specifies whether to enable SSL connections to the AD or LDAP server. Valid values: Yes: Encrypts data transmitted between SASE and the server. No: SSL connections are not used.
   Base DN	The base distinguished name (DN) for user authentication. SASE authenticates all user accounts under this DN, allowing them to log on to the SASE client. The Base DN must be 2 to 100 characters long. Note If users and groups are not under the same Base DN in your LDAP directory, you must specify the User Base DN and Group Base DN in the Advanced Settings section.
   Organizational Structure Synchronization	Enter the administrator DN and password to fetch the directory structure from your identity provider. Note After this is configured, you can apply security policies based on your organizational structure. The system does not read your user information when applying security policies.
   Logon Username Attribute	Specify the attribute used for the logon username. This standardizes the username format for all users in your organization. You can select a default LDAP field for the username attribute, such as cn, name, givenName, displayName, userPrincipalName, or sAMAccountName, or enter another field defined in LDAP to specify the Logon Username Attribute. Note The userPrincipalName attribute typically includes a domain suffix. If you select userPrincipalName as the Logon Username Attribute, users must enter their full UPN, including the domain suffix, at logon. For example: user@aliyundoc.com.
   Group Name Attribute	Specify the attribute used for the group name. This standardizes the group name format within your organization. You can select a default LDAP field, such as cn, name, or sAMAccountName, or enter another field defined in LDAP to represent the Group Name Attribute.
   Group Mapping Attribute	Specify the attribute that defines a user's group membership. The default value is memberOf. Note This parameter is optional. If you configure it, the value must match the Group Mapping Attribute setting in your LDAP directory.
   Group Filter	Add a group filter expression to control which groups are synchronized. This allows you to manage access permissions for different sets of users. Examples of common LDAP filter syntax: (&(objectClass=organizationalUnit)(objectClass=organization)): Searches for groups where the objectClass is both organizationalUnit and organization. (|(objectClass=organizationalUnit)(objectClass=organization)): Searches for groups where the objectClass is either organizationalUnit or organization. (!(objectClass=organizationalUnit)): Searches for groups where the objectClass is not organizationalUnit. For more information about LDAP filter syntax, see the official LDAP Filters documentation.
   User Filter	Add a user filter expression to control which users are synchronized. Examples of common LDAP filter syntax: (&(objectClass=person)(objectClass=user)): Searches for users where the objectClass is both person and user. (|(objectClass=person)(objectClass=user)): Searches for users where the objectClass is either person or user. (!(objectClass=person)): Searches for users where the objectClass is not person. For more information about LDAP filter syntax, see the official LDAP Filters documentation.
   Automatic Synchronization	When enabled, Automatic Synchronization automatically synchronizes information from the LDAP server based on your settings. If you disable Automatic Synchronization, you must manually synchronize the organizational structure. For more information, see View synchronization records.
   Synchronize User Information	After you enable the Synchronize User Information switch, the system automatically syncs employee information from LDAP based on the Automatic Synchronization Cycle. Note If the Automatic Synchronization feature is not enabled, the Synchronize User Information function is not performed.
   Automatic Synchronization Cycle	Set Automatic Synchronization Cycle. You can set the interval from 1 to 24 hours.
   Logo	Upload a custom logo.

6. In the Synchronization Settings step, configure the synchronization scope and field mappings for the organizational structure, and then click Next.

   Parameter	Description
   Organizational Structure Synchronization	Configure the scope for synchronizing the organizational structure. Synchronize All: Synchronizes the entire LDAP organizational structure to the SASE system. Partially Synchronize: Select the specific parts of the organizational structure that you want to synchronize.
   Field Synchronization Mapping	Define the mapping between fields in your LDAP organizational structure and the corresponding fields in SASE. Note If the built-in Local Field After Mapping options in SASE do not meet your business requirements, you can click View Extended Fields in the upper-right corner of the list. In the View Extended Fields panel, you can add, edit, or delete extended fields.

7. In the Logon Settings step, configure device logon methods as described in the following table.

   Parameter	Description
   PC Logon Method	Supports Logon with Account and Password and Password-free Logon. For password-based logon, you can enable Two-factor Authentication. Valid values: OTP-based Authentication: If enabled, you must select an OTP Mode. The following modes are supported: Allow the SASE mobile client to display tokens: This uses the built-in OTP feature of SASE, which requires users to install the SASE mobile app. Allow tokens from third-party apps: This supports standard OTP apps, like Google Authenticator or Microsoft Authenticator. The client's clock must be synchronized. Allow company-owned tokens: To use a self-developed OTP system, contact technical support for assistance with configuration. Verification Code-based Authentication: Supports verification codes sent by SMS or email. The identity provider must contain a valid mobile number or email address for each user. For password-free logon, users must first download and log on to the SASE mobile app, and then scan a QR code to authenticate.
   Mobile Device Logon Method	Supports Logon with Account and Password and Fingerprint or Face Recognition. For password-based logon, you can enable Two-factor Authentication. Valid values: OTP-based Authentication: Before you enable OTP-based Authentication for mobile devices, you must first enable it for PC logon and select either Allow Tokens on Third-party Applications or Allow Enterprise-owned Tokens. The mobile token configuration mirrors the PC configuration. Verification Code-based Authentication: Before you enable Verification Code-based Authentication, ensure the identity provider contains a valid mobile number or email address for each user. For fingerprint or face recognition, you must still enter your username and password on your first logon to the SASE app.

8. After you complete the configurations, click Logon Test at the bottom of the panel. After the test is successful, click Ok to save the configuration.

   Note

   If your configuration is incorrect, SASE displays an error message. If the connection test returns the message Failed To Connect To The LDAP Server. Contact The Administrator., verify that the server address and port are correct and that the server is network-accessible.

View synchronization records

1. On the Identity synchronization tab, locate the identity provider and click Synchronize Records in the Actions column.

2. On the Synchronize Records page, view the synchronization records for the identity provider.

3. In the Synchronization Task area on the left, click a specific task to view its synchronization details in the list on the right.

   The synchronization task card on the left displays the Task ID, Synchronization Method (manual or automatic), Synchronization Status, Creation Time, End Time, Department Synchronization Count, and User Synchronization Count. The synchronization records table on the right includes columns for Synchronization Time, Action, Task Status, Type, Name, and Actions. You can filter records by type, action, and status, or search by name.

4. Click Details in the Actions column for a specific record to view its field information from both the Third-party Data Source and the SASE Data Source.

Disable automatic synchronization

• On the Identity synchronization page, locate the identity provider and turn off the switch in the Automatic Synchronization column.

• In the Edit IdP panel, turn off the automatic synchronization switch.

Edit an LDAP identity provider

On the Identity synchronization page, locate the LDAP identity provider that you want to modify and click Edit in the Actions column.

Disable an LDAP identity provider

On the Identity synchronization tab, locate the LDAP identity provider and turn off the switch in the IdP Status column.

Delete LDAP identity provider

On the Identity synchronization page, locate the LDAP identity provider that you want to delete and click Delete in the Actions column.

Related documents

Configure a SASE identity provider

If your organization does not use an external identity provider, you can use the built-in custom identity provider in SASE to build your organizational structure. For more information, see Connect to a custom identity provider.

Connect to a third-party identity provider

If your organization uses an identity provider such as LDAP, DingTalk, WeCom, Lark, or IDaaS to manage its organizational structure, you can connect it to SASE.

• Connect to a DingTalk identity provider

• Connect to a WeCom identity provider

• Connect to a Lark identity provider

• Connect to an IDaaS identity provider

Configure user groups

To create user groups that are separate from your main organizational structure, see User group management.