Connect IDaaS to WeCom

This topic describes how to connect Identity as a Service (IDaaS) to WeCom and the common operations that you can perform.

Scenarios

After you connect IDaaS to WeCom, you can perform the following operations.

Category	Operation

Category	Operation
Account	Synchronize the non-sensitive data of WeCom contacts to IDaaS Employee Identity and Access Management (EIAM). Synchronize the sensitive data, such as mobile phone numbers and email addresses, of WeCom contacts to IDaaS EIAM.
Logon	Scan a QR code by using WeCom to log on to IDaaS EIAM or an IDaaS EIAM application. Initiate single sign-on (SSO) on the WeCom web page to log on to IDaaS EIAM or an IDaaS EIAM application.

Preparations

For security reasons, when you call the API operations of WeCom for contact verification and identity authentication, the system verifies the domain name and IP address that you use. If the verification is successful, the domain name and IP address are trusted. A trusted IP address can be used only by one enterprise in WeCom. If a trusted IP address is used by multiple enterprises, the IP address is considered as that of a service provider. As a result, the API operations for contact verification and identity authentication become unavailable.

To meet the security requirements of WeCom, you must prepare the following items.

Verification item	Description

Verification item	Description
Trusted domain name	A dedicated domain name. The owner of the domain name must be the same as the verified entity of the WeCom account. We recommend that you use a custom domain name of an IDaaS EIAM instance. For more information, see Custom domain names.
Trusted IP address	The dedicated public outbound IP address of a dedicated endpoint is the trusted IP address in WeCom. At least one dedicated endpoint must be configured for an IDaaS EIAM instance. This way, the instance can access WeCom by using the dedicated public outbound IP address. For more information, see Configure a dedicated public outbound IP address in Endpoints.

Procedure

On the IdPs page of an IDaaS EIAM instance, click Other IdPs. In the panel that appears, click WeCom.

If no dedicated endpoint is configured for the instance, you must configure a dedicated endpoint. For more information, see Endpoints.

Step 1: Configure parameters in the Create Application Configuration step

Configure the following parameters in IDaaS EIAM:

Display Name: Enter a name that is displayed to a user when the user logs on to and uses IDaaS EIAM.
Enterprise ID: Copy the value of the Enterprise ID parameter from the My Enterprise page in the WeCom Management Console and paste the value in this field.
AgentId:
- Go to the WeCom Management Console and create a self-managed enterprise application.
- When you create the application, the Allowed users parameter specifies the contact data that you can access and you want to synchronize to IDaaS EIAM. You can select departments or members. You can double-check this configuration in the next step.
- Copy the value of the AgentId parameter and paste the value in IDaaS.
Secret:
- Go to the details page of the application and click View for the Secret parameter.
- In the dialog box that appears, click Send. Then, obtain the secret in WeCom as prompted.

2. Configure the Domain Name Type parameter. This parameter determines the features that are supported by WeCom and is the reference for parameter configurations in the Development Information section. The following table describes the types of domain names.

	Owned domain name	Custom domain name

	Owned domain name	Custom domain name
Functionality comparison	You can synchronize non-sensitive data and use WeCom to scan a QR code for logon.	You can synchronize sensitive and non-sensitive data, use WeCom to scan a QR code for logon, and initiate SSO on the WeCom web page.
Configuration comparison	Specify a dedicated domain name as the trusted domain name. Make sure that the domain name belongs to the verified entity of the WeCom account and is not required by the workloads of IDaaS EIAM. The parameter values in the Development Information section, excluding the Trusted Domain Name parameter, are automatically provided by the system.	Select a valid custom domain name. Make sure that the domain name belongs to the verified entity of the WeCom account. A stable and available domain name ensures access to WeCom features. Parameter values in the Development Information except the Trusted Domain Name parameter are automatically generated based on the custom domain name that you select. For more information, see Custom domain names.

3. If you set the Domain Name Type parameter to Custom Domain Name, you must configure the following parameters in the Development Information section.

Trusted Domain Name:
- Go to the details page of the application in the WeCom Management Console and click Set trusted domain name.
- Enter a trusted domain name for the OAuth2.0-based web page authorization feature. The trusted domain name must belong to the verified entity of WeCom and cannot include the protocol or the path.
- After the trusted domain name is verified, you must complete domain name ownership verification as prompted in WeCom.
Enterprise Trusted IP:
- Use the dedicated public outbound IP address of an endpoint to allow the IDaaS EIAM instance to access WeCom. For more information, see Configure a dedicated public outbound IP address.
- Select an endpoint from the Enterprise Trusted IP drop-down list and click View.
- In the dialog box that appears, view the public IP address that the IDaaS EIAM instance can use. Then, click Copy All IP Addresses.
- Go to the details page of the application in the WeCom Management Console and click Settings in the Company's Trusted IP section. In the dialog box that appears, paste the IP address that you copied.
- Important
  All WeCom APIs can be called by IDaaS EIAM by using the trusted IP address. If the trusted IP address is invalid, you cannot use features such as data synchronization from WeCom and WeCom-based QR code logon. The logic of verifying the trusted IP address in WeCom is not disclosed. To ensure that you can log on to IDaaS, you must also enable another logon method such as password and username authentication or SMS authentication.
Authorized Callback Domain:
- Copy the value of this parameter.
- Go to the details page of the application in the WeCom Management Console and click Setting in the Log in to via authorization by WeCom.
- In the Web page section, click Set to authorize the callback domain. In the dialog box that appears, paste the value that you copied.
- If you set the Domain Name Type parameter to Custom Domain Name, you must also specify a homepage URL for the application on the details page of the application. The homepage URL specifies the page to which you are redirected after you initiate SSO from the WeCom web page.

After you complete the configurations, click Next.

Step 2: Configure parameters in the Grant permissions step

In this step, follow the on-screen instructions to modify the Allowed users parameter. The Allowed users parameter specifies the contact data that you can access and you want to synchronize to IDaaS EIAM. You can select departments or members. Tags are not supported. When you synchronize data, the value that you specify is used as the data source node.

Step 3: Configure parameters in the Select Scenario step

In this step, configure the features that you want to use.

Features

Synchronization Scope: After you select an IDaaS node, WeCom contacts are imported to the node.
Scheduled Verification: If you turn on Scheduled Verification, IDaaS automatically synchronizes the full data on the source node of WeCom every morning.
- You can configure mapping identifiers in the Field Mapping step of an IDaaS account to a field of a WeCom user. For example, you can match the Username field of an IDaaS account to the userid field of a WeCom user. If the matching is successful and the WeCom user is updated, the IDaaS account is also updated from the WeCom user. If the matching fails, an IDaaS account is created by using the information about the WeCom user.
- To synchronize the latest data, you must manually trigger full data synchronization.
- IDaaS provides synchronization protection. When more than 30 accounts or more than 10 organizations need to be deleted, the synchronization task is automatically canceled to prevent data from being accidentally deleted. We recommend that you adjust the synchronization protection settings based on the size of your enterprise.
Sign-In with QR Code: If you turn on Sign-In with QR Code, the QR Code (WeCom) option is provided and enabled on the logon page of IDaaS. This way, users can scan a QR code by using WeCom to log on to IDaaS.
Logon on Web Page: If you set the Domain Name Type parameter to Custom Domain Name, this switch is automatically turned on. You can initiate SSO from the WeCom web page to IDaaS EIAM or an IDaaS application and grant permissions to synchronize sensitive data.

Note

Before you can access sensitive data, you must manually authorize the request in IDaaS EIAM. When you initiate SSO from the WeCom web page, a page appears that prompts you to complete the authorization. After the authorization is complete, the mobile phone number and email address of the WeCom account are used in the IDaaS EIAM account. If no email address of the WeCom account exists, you can specify a personal email address.

Step 4: Configure parameters in the Field Mapping step

If you already have accounts or organizations in IDaaS and you want to map them to the WeCom users or departments, or if you want to use specific fields of an IDaaS account as the fields of a WeCom user, you must configure field mappings. For example, if you want to use the display name of an IDaaS account as the name of a WeCom user, you must configure a field mapping.

Important

If the userid field in WeCom is automatically generated, the field can be modified once. The userid field is the primary key used by IDaaS to identify users. If you modify the field, the corresponding IDaaS account is deleted, and another IDaaS account is created. Do not modify the field unless necessary.

Manage WeCom

After you connect IDaaS to WeCom, you are redirected to the IdPs page. You can manage different features that are used to interact with identity providers (IdPs) on the IdPs page.

Usage notes

Usage notes on QR code-based logon

When you use QR code-based logon by using WeCom, you are redirected to the address specified by the Authorized Callback Domain parameter. Specifically, if you want to use WeCom to scan a QR code to log on to IDaaS EIAM or an IDaaS EIAM application, you must ensure consistency between the domain name of the IDaaS EIAM logon page, the value of the Authorized Callback Domain parameter for the WeCom IdP in IDaaS, and the authorized callback domain name in WeCom.

Therefore, if you want to log on to IDaaS EIAM by using a custom domain name, we recommend that you set the custom domain name as the default domain name, enable the automatic redirect feature, and set the authorized callback domain name in IDaaS EIAM and WeCom to the custom domain name. For more information, see Custom domain names.

Usage notes on sensitive data synchronization

If you access the WeCom application within 30 days, no authorization operations are required. If you want to modify the authorization of sensitive data within 30 days, access the WeCom application that you created in Step 1 and open the details page of the application.

In addition to manual authorization, the administrator must perform the following steps: Go to the WeCom Admin Console and click My Company in the upper-right corner. In the left-side navigation pane, click Contacts Management. In the Member Info Display section of the page that appears, check whether the display of sensitive data such as the mobile phone number and email address is configured. Only sensitive data on which you have access permissions and is configured to be displayed by the administrator can be synchronized to IDaaS EIAM.

Other logon methods

Important

Alibaba Cloud IDaaS makes every effort to ensure the availability of data synchronization and identity authentication for your WeCom contacts. However, due to the lack of publicly disclosed details regarding the verification methods such as trusted domain names and trusted IP address in WeCom, and the risk management policies, Alibaba Cloud cannot guarantee that you can consistently and reliably log on to IDaaS by using your WeCom account.

To mitigate the risk of being unable to access IDaaS when WeCom is unavailable, you must also enable other logon methods such as the username and password and SMS code logon methods. If you cannot logon to IDaaS by using a WeCom account and do not enable another logon method, you shall assume all liabilities for losses.

For more information about other logon methods, see Authentication Methods.

Scenarios

Preparations

Procedure

Step 1: Configure parameters in the Create Application Configuration step

Step 2: Configure parameters in the Grant permissions step

Step 3: Configure parameters in the Select Scenario step

Step 4: Configure parameters in the Field Mapping step

Manage WeCom

Usage notes

Usage notes on QR code-based logon

Usage notes on sensitive data synchronization

Other logon methods

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)