Secure Access Service Edge (SASE) issues identity-driven security policies. If an enterprise uses a Lightweight Directory Access Protocol (LDAP) identity provider (IdP) to manage the organizational structure, the enterprise can connect the LDAP IdP to SASE without the need to configure identity information about the users of the enterprise. After the enterprise connects the LDAP IdP to SASE, the users of the enterprise can log on to the SASE client by using the same account system as the enterprise. This topic describes how to connect an LDAP IdP to SASE.
Limits
You can enable only one IdP or one IdP combination. An IdP combination contains multiple IdPs. If an IdP or IdP combination is enabled, you must disable the IdP or IdP combination before you can enable another IdP or IdP combination.
Configure and enable a Windows AD or OpenLDAP IdP
Log on to the SASE console. In the left-side navigation pane, choose .
On the Identity Access page, click the IdP Management tab. On the tab, click Add IdP. In the Add IdP panel, set the Authentication Type parameter to Single IdP and the Enterprise IdP parameter to LDAP. Configure the following parameters for an LDAP IdP. Then, click Next.
Parameter
Description
IdP Configuration Status
Specifies whether to enable the IdP. Valid values:
Enabled: If no IdP is enabled, you can enable the created IdP.
Disabled: If another IdP is enabled, you can disable the created IdP. After you disable another IdP on the IdP Management tab, you can enable the created IdP.
ImportantIf you turn off IdP Configuration Status, users cannot access office applications by using the SASE client. Proceed with caution.
Type
The type of the directory service. Valid values:
Windows AD
OpenLDAP
Configuration Name
The name of the Active Directory (AD) or OpenLDAP IdP.
The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), and underscores (_).
Description
The description of the IdP.
The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.
Server Address
The address of the AD or OpenLDAP server.
Server Port Number
The port number of the AD or OpenLDAP server.
Access Authentication Server from Connector
If LDAP authentication is used for your internal network, you can connect to the LDAP authentication server from a connector. You must select a connector for which network connections are enabled. For more information about how to configure a connector, see Use a SASE connector.
SSL Connection
Specifies whether to enable SSL connections on the AD or OpenLDAP server. Valid values:
Yes: enables SSL connections. After you enable SSL connections, data on the AD or OpenLDAP server is encrypted for transmission to ensure data security.
No: disables SSL connections.
Base DN
The base distinguished name (DN) of the user to be authenticated. If you configure this parameter, SASE authenticates all accounts of the user node. The authenticated accounts can be used to log on to the SASE client. The value of this parameter must be 2 to 100 characters in length.
NoteIf the user and the group to be authenticated do not belong to the same node, you must configure the User Base DN and Group Base DN in the Advanced Settings section.
Organizational Structure Synchronization
The DN and password of the administrator that are used to obtain the organizational structure from the IdP.
NoteAfter the configuration is complete, you can apply security policies in batches based on the organizational structure. During this process, the system does not read your user information.
In the Attribute Configuration step, configure the parameters and click Next.
You can configure attributes and filters to manage the access permissions of enterprise users in different groups.
Parameter
Description
Logon Username Attribute
Configure the logon username attribute to specify the format of the usernames of your enterprise users. You must define this attribute in your enterprise.
You can select one of the following default username attributes: cn, name, givenName, displayName, userPrincipalName, and sAMAccountName. You can also enter another LDAP-defined attribute for the Logon Username Attribute parameter.
NoteuserPrincipalName is a domain suffix. If you select userPrincipalName for the Logon Username Attribute parameter, an enterprise user must enter its domain suffix during logon. Example: user***@aliyundoc.com.
Display User Name Attribute
Configure the display username attribute to specify the format of the usernames of your enterprise users that are displayed on the SASE client. You must define this attribute in your enterprise. The display username is the account username.
You can select one of the following default username attributes: cn, name, givenName, displayName, userPrincipalName, and sAMAccountName. You can also enter another LDAP-defined attribute for the Display User Name Attribute parameter.
Group Name Attribute
Configure the group name attribute to specify the format of the group names in your enterprise. You must define this attribute in your enterprise.
You can select one of the following default username attributes: cn, name, and sAMAccountName. You can also enter another LDAP-defined attribute for the Group Name Attribute parameter.
Group Mapping Attribute
Configure the group mapping attribute to define the group to which the enterprise users belong. Default value: memberOf.
NoteThis parameter is optional. If you want to configure this parameter, make sure that this parameter matches the value specified for the group mapping attribute in LDAP.
Group Filter
Specify a group filter to filter enterprise users in different groups so that you can manage the access permissions of the enterprise users by group.
Examples of common LDAP filters:
(&(objectClass=organizationalUnit)(objectClass=organization)): searches for groups whose objectClass attribute matches organizationalUnit and organization.
(|(objectClass=organizationalUnit)(objectClass=organization)): searches for groups whose objectClass attribute matches organizationalUnit or organization.
(!(objectClass=organizationalUnit)): searches for groups whose objectClass attribute does not match organizationalUnit.
For more information about LDAP matching rules, see LDAP Filters.
User Filter
Specify a user filter to search for one user or a type of users.
Examples of common LDAP filters:
(&(objectClass=person)(objectClass=user)): searches for users whose objectClass attribute matches person and user.
(|(objectClass=person)(objectClass=user)): searches for users whose objectClass attribute matches person or user.
(!(objectClass=person)): searches for users whose objectClass attribute does not match person.
For more information about LDAP matching rules, see LDAP Filters.
Email Attribute
Specify an email address attribute.
ImportantThe default attribute that is used to identify an email address in LDAP is email. Make sure that this attribute matches the value that is specified for the email address attribute in LDAP.
Mobile Phone Number Attribute
Specify a mobile phone number attribute.
ImportantThe default attribute that is used to identify a mobile phone number in LDAP is telephoneNumber. Make sure that this attribute matches the value that is specified for the mobile phone number attribute in LDAP.
In the Logon Settings step, configure the parameters and click Logon Test.
Parameter
Description
PC Logon Method
Valid values: Logon with Account and Password and Password-free Logon.
If you select Logon with Account and Password, you can turn on Two-factor Authentication. Valid values:
OTP-based Authentication: If you select OTP-based Authentication, you must select at least one one-time password (OTP) mode. The following modes are supported:
Allow Tokens on SASE Mobile Client: The built-in OTPs of SASE are used. Users must install the SASE mobile client.
Allow Tokens on Third-party Applications: Make sure that clock synchronization on your OTP app works as expected. Common OTP apps, such as Alibaba Cloud App, are supported.
Allow Enterprise-owned Tokens: If you want to use the self-managed OTPs of your enterprise, contact technical support to perform the required configuration.
Verification Code-based Authentication: If you select Verification Code-based Authentication, make sure that each user in the IdP has a mobile phone number.
If you select Password-free Logon, users must download and log on to the SASE mobile client and scan the quick response (QR) code for authentication.
Mobile Device Logon Method
Valid values: Logon with Account and Password and Fingerprint or Face Recognition.
If you select Logon with Account and Password, you can turn on Two-factor Authentication. Valid values:
OTP-based Authentication: Before you can select OTP-based Authentication, you must select Allow Tokens on Third-party Applications or Allow Enterprise-owned Tokens for the OTP Mode parameter in the PC Logon Method section. Make sure that the OTP configurations for the SASE mobile client are the same as the OTP configurations for the SASE desktop client.
Verification Code-based Authentication: If you select Verification Code-based Authentication, make sure that each user in the IdP has a mobile phone number or email address.
If you select Fingerprint or Face Recognition, users must enter the usernames and passwords when they log on to the SASE mobile client for the first time.
NoteIf the configurations are invalid, SASE displays the corresponding error. After you click Logon Test, the Failed to connect to the LDAP server. Contact the administrator message may be displayed. In this case, check whether the server address and port number are valid and whether the network is connected.
After the test succeeds, click OK.
Disable an LDAP IdP
On the IdP Management tab, find the LDAP IdP that you want to manage and turn off the switch in the Status column.
View the information about an LDAP IdP
On the IdP Management tab, find the LDAP IdP that you want to manage and click Details in the Actions column.
Delete an LDAP IdP
On the IdP Management tab, find the LDAP IdP that you want to manage and click Delete in the Actions column.
Modify the information about an LDAP IdP
On the IdP Management tab, find the LDAP IdP that you want to manage and click Edit in the Actions column.
References
Configure a SASE IdP
If your enterprise does not use a third-party IdP, you can establish an organizational structure by using a custom IdP provided by SASE. For more information, see Configure a SASE IdP.
Connect a third-party IdP
If your enterprise uses one of the following IdPs to manage the organizational structure of the enterprise, you can connect the IdP to SASE: LDAP, DingTalk, WeCom, Lark, and Identity as a Service (IDaaS).
Configure an IdP combination
If your enterprise wants to use multiple IdPs to manage its organizational structure, you can configure an IdP combination by using SASE. For more information, see Configure an IdP combination.
Configure a user group
For more information, see Configure a user group.