All Products
Search

This Product

    Secure Access Service Edge:Connect an LDAP IdP to SASE

    Document Center

    Secure Access Service Edge:Connect an LDAP IdP to SASE

    Last Updated:Jul 17, 2024

    Secure Access Service Edge (SASE) issues identity-driven security policies. If an enterprise uses a Lightweight Directory Access Protocol (LDAP) identity provider (IdP) to manage the organizational structure, the enterprise can connect the LDAP IdP to SASE without the need to configure identity information about the users of the enterprise. After the enterprise connects the LDAP IdP to SASE, the users of the enterprise can log on to the SASE client by using the same account system as the enterprise. This topic describes how to connect an LDAP IdP to SASE.

    Limits

    You can enable only one IdP or one IdP combination. An IdP combination contains multiple IdPs. If an IdP or IdP combination is enabled, you must disable the IdP or IdP combination before you can enable another IdP or IdP combination.

    Configure and enable an LDAP IdP

    1. Log on to the SASE console. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.

    2. On the Identity Access page, click the IdP Management tab. On the tab, click Add IdP. In the Add IdP panel, set the Authentication Type parameter to Single IdP and the Enterprise IdP parameter to LDAP. Configure the following parameters for an LDAP IdP. Then, click Next.

      Parameter

      Description

      IdP Configuration Status

      Specifies whether to enable the IdP. Valid values:

      • Enabled: If no IdP is enabled, you can enable the created IdP.

      • Disabled: If another IdP is enabled, you can disable the created IdP. After you disable another IdP on the IdP Management tab, you can enable the created IdP.

        Important

        If you turn off IdP Configuration Status, users cannot access office applications by using the SASE client. Proceed with caution.

      Type

      The type of the directory service. Valid values:

      • Windows AD: Active Directory (AD)

      • OpenLDAP: LDAP

      Configuration Name

      The name of the AD or LDAP IdP.

      The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), and underscores (_).

      Description

      The description of the IdP.

      The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.

      Server Address

      The address of the AD or LDAP server.

      Server Port Number

      The port number of the AD or LDAP server.

      SSL Connection

      Specifies whether to enable SSL connections on the AD or LDAP server. Valid values:

      • Yes: enables SSL connections. After you enable SSL connections, data on the AD or LDAP server is encrypted for transmission to ensure data security.

      • No: disables SSL connections.

      Base DN

      The base distinguished name (DN) of the user to be authenticated. If you configure this parameter, SASE authenticates all accounts of the user node. The authenticated accounts can be used to log on to the SASE client. The value of this parameter must be 2 to 100 characters in length.

      Note

      If the user and the group to be authenticated do not belong to the same node, you must configure the User Base DN and Group Base DN in the Advanced Settings section.

      Organizational Structure Synchronization

      The DN and password of the administrator that are used to obtain the organizational structure from the IdP.

      Note

      After the configuration is complete, you can apply security policies in batches based on the organizational structure. During this process, the system does not read your user information.

    3. In the Attribute Configuration step, configure the parameters and click Next.

      You can configure attributes and filters to manage the access permissions of enterprise users in different groups.

      Parameter

      Description

      Logon Username Attribute

      Configure the logon username attribute to specify the format of the usernames of your enterprise users. You must define this attribute in your enterprise.

      You can select one of the following default username attributes: cn, name, givenName, displayName, userPrincipalName, and sAMAccountName. You can also enter another LDAP-defined attribute for the Logon Username Attribute parameter.

      Note

      userPrincipalName is a domain suffix. If you select userPrincipalName for the Logon Username Attribute parameter, an enterprise user must enter its domain suffix during logon. For example, a domain suffix can be user***@aliyundoc.com.

      Display User Name Attribute

      Configure the display username attribute to specify the format of the usernames of your enterprise users that are displayed on the SASE client. You must define this attribute in your enterprise. The display username is the account username.

      You can select one of the following default username attributes: cn, name, givenName, displayName, userPrincipalName, and sAMAccountName. You can also enter another LDAP-defined attribute for the Display User Name Attribute parameter.

      Group Name Attribute

      Configure the group name attribute to specify the format of the group names in your enterprise. You must define this attribute in your enterprise.

      You can select one of the following default username attributes: cn, name, and sAMAccountName. You can also enter another LDAP-defined attribute for the Group Name Attribute parameter.

      Group Mapping Attribute

      Configure the group mapping attribute to define the group to which the enterprise users belong. Default value: memberOf.

      Note

      This parameter is optional. If you want to configure this parameter, make sure that this parameter matches the value specified for the group mapping attribute in LDAP.

      Group Filter

      Specify a group filter to filter enterprise users in different groups so that you can manage the access permissions of the enterprise users by group.

      Examples of common LDAP filters:

      • (&(objectClass=organizationalUnit)(objectClass=organization)): searches for groups whose objectClass attribute matches organizationalUnit and organization.

      • (|(objectClass=organizationalUnit)(objectClass=organization)): searches for groups whose objectClass attribute matches organizationalUnit or organization.

      • (!(objectClass=organizationalUnit)): searches for groups whose objectClass attribute does not match organizationalUnit.

      For more information about LDAP matching rules, see LDAP Filters.

      User Filter

      Specify a user filter to search for one user or a type of users.

      Examples of common LDAP filters:

      • (&(objectClass=person)(objectClass=user)): searches for users whose objectClass attribute matches person and user.

      • (|(objectClass=person)(objectClass=user)): searches for users whose objectClass attribute matches person or user.

      • (!(objectClass=person)): searches for users whose objectClass attribute does not match person.

      For more information about LDAP matching rules, see LDAP Filters.

      Email Attribute

      Specify an email address attribute.

      Important

      The default attribute that is used to identify an email address in LDAP is email. Make sure that this attribute matches the value that is specified for the email address attribute in LDAP.

      Mobile Phone Number Attribute

      Specify a mobile phone number attribute.

      Important

      The default attribute that is used to identify a mobile phone number in LDAP is telephoneNumber. Make sure that this attribute matches the value that is specified for the mobile phone number attribute in LDAP.

    4. In the Logon Settings step, configure the parameters and click Logon Test.

      Parameter

      Description

      PC Logon Method

      Valid values: Logon with Account and Password and Password-free Logon.

      • If you select Logon with Account and Password, you can turn on Two-factor Authentication. Valid values:

        • OTP-based Authentication: If you select OTP Authentication, you must select at least one one-time password (OTP) mode. The following modes are supported:

          • Allow Tokens on SASE Mobile Client: The built-in OTPs of SASE are used. Users must install the SASE mobile client.

          • Allow Tokens on Third-party Applications: Make sure that clock synchronization on your OTP app works as expected. Common OTP apps, such as Alibaba Cloud App, are supported.

          • Allow Enterprise-owned Tokens: If you want to use the self-managed OTPs of your enterprise, contact technical support to perform the required configuration.

        • Verification Code-based Authentication: If you select Verification Code-based Authentication, make sure that each user in the IdP has a mobile phone number.

      • If you select Password-free Logon, users must download and log on to the SASE mobile client and scan the quick response (QR) code for authentication.

      Mobile Device Logon Method

      Valid values: Logon with Account and Password and Fingerprint or Face Recognition.

      • If you select Logon with Account and Password, you can turn on Two-factor Authentication. Valid values:

        • OTP-based Authentication: Before you can select OTP-based Authentication, you must select Allow Tokens on Third-party Applications or Allow Enterprise-owned Tokens for the OTP Mode parameter in the PC Logon Method section. Make sure that the OTP configurations for the SASE mobile client are the same as the OTP configurations for the SASE desktop client.

        • Verification Code-based Authentication: If you select Verification Code-based Authentication, make sure that each user in the IdP has a mobile phone number or email.

      • If you select Fingerprint or Face Recognition, users must enter the usernames and passwords when they log on to the SASE mobile client for the first time.

      Note

      If the configurations are invalid, SASE displays the corresponding error. After you click Logon Test, the Failed to connect to the LDAP server. Contact the administrator message may be displayed. In this case, check whether the server address and port number are valid and whether the network is connected.

    5. After the test succeeds, click OK.

    Disable an LDAP IdP

    On the IdP Management tab, find the LDAP IdP that you want to manage and turn off the switch in the Status column.

    View the information about an LDAP IdP

    On the IdP Management tab, find the LDAP IdP that you want to manage and click Details in the Actions column.

    Delete an LDAP IdP

    On the IdP Management tab, find the LDAP IdP that you want to manage and click Delete in the Actions column.

    Modify the information about an LDAP IdP

    On the IdP Management tab, find the LDAP IdP that you want to manage and click Edit in the Actions column.

    References

    Configure a SASE IdP

    If your enterprise does not use a third-party IdP, you can establish an organizational structure by using a custom IdP provided by SASE. For more information, see Configure a SASE IdP.

    Connect a third-party IdP

    If your enterprise uses one of the following IdPs to manage the organizational structure of the enterprise, you can connect the IdP to SASE: LDAP, DingTalk, WeCom, Lark, and Identity as a Service (IDaaS).

    Configure an IdP combination

    If your enterprise wants to use multiple IdPs to manage its organizational structure, you can configure an IdP combination by using SASE. For more information, see Configure an IdP combination.

    Configure a user group

    For more information, see Configure a user group.