Secure Access Service Edge:Configure a SASE IdP

Limits

You can enable only one IdP or one IdP combination. An IdP combination contains multiple IdPs. If an IdP or IdP combination is enabled, you must disable the IdP or IdP combination before you can enable another IdP or IdP combination.

Configure a custom IdP

Step 1: Create a custom IdP

After you activate SASE, a custom IdP is automatically generated. If a custom IdP already exists, skip this step.

1. Log on to the SASE console.

2. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.

3. Create a custom IdP.

   On the Identity Access page, click the IdP Management tab. On the tab, click Add IdP. In the Add panel, set the Authentication Type parameter to Single IdP and select Custom IdP from the Enterprise IdP drop-down list. Then, configure the parameters to create a custom IdP and click OK. The following table describes the parameters

   Parameter	Description
   Configuration Name	The name of the custom IdP. The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), and underscores (_).
   Description	The description of the IdP. The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.
   PC Logon Method	Valid values: Logon with Account and Password and Password-free Logon. If you select Logon with Account and Password, you can turn on Two-factor Authentication. Valid values: OTP-based Authentication: If you select OTP Authentication, you must select at least one one-time password (OTP) mode. The following modes are supported: Allow Tokens on SASE Mobile Client: The built-in OTPs of SASE are used. Users must install the SASE mobile client. Allow Tokens on Third-party Applications: Make sure that clock synchronization on your OTP app works as expected. Common OTP apps, such as Alibaba Cloud App, are supported. Allow Enterprise-owned Tokens: If you want to use the self-managed OTPs of your enterprise, contact technical support to perform the required configuration. Verification Code-based Authentication: If you select Verification Code-based Authentication, you must select at least one of the Text Message Verification or Email Verification options. Make sure that each user in the IdP has a mobile phone number or email address. If you select Password-free Logon, users must download and log on to the SASE mobile client and scan the quick response (QR) code for authentication.
   Mobile Device Logon Method	Valid values: Logon with Account and Password and Fingerprint or Face Recognition. If you select Logon with Account and Password, you can turn on Two-factor Authentication. Valid values: OTP-based Authentication: Before you can select OTP-based Authentication, you must select Allow Tokens on Third-party Applications or Allow Enterprise-owned Tokens for the OTP Mode parameter in the PC Logon Method section. Make sure that the OTP configurations for the SASE mobile client are the same as the OTP configurations for the SASE desktop client. Verification Code-based Authentication: If you select Verification Code-based Authentication, make sure that each user in the IdP has a mobile phone number or email. If you select Fingerprint or Face Recognition, users must enter the usernames and passwords when they log on to the SASE mobile client for the first time.
   IdP Configuration Status	Specifies whether to enable the IdP. Valid values: Enabled: If no IdP is enabled, you can enable the created IdP. Disabled: If another IdP is enabled, you can disable the created IdP. After you disable another IdP on the IdP Management tab, you can enable the created IdP. Important If you turn off IdP Configuration Status, users cannot access office applications by using the SASE client. Proceed with caution.

Step 2: Add users

1. Find the custom IdP and click User Management in the Actions column.

2. To configure a department for the added users, click Department Management. In the Department Management dialog box, click Create Department and enter a department name.

3. In the User Management panel, click Add User.

   The parameters that you need to configure include Username, Department, Email Address, and Mobile Phone Number. The Username and Email Address parameters are required.

   You can use one of the following methods to add users:

   • Manually Add

     You must specify user information for each user one by one.

   • Import from Excel

     You can download the template, specify user information for all users, and then upload the template to add the users at a time.

Delete a user

You can delete a resigned user in the User Management panel of the custom IdP.

Modify the information about a user

If the department of a user changes and the user information needs to be modified, you can click the icon in the User Management panel to modify the information.

FAQ

What do I do if a user of a custom IdP forgets their password?

If a user forgets their password, the user can use the forgot password feature to reset the password. The user can also report the issue to the enterprise administrator, who can reset the password for the user in the User Management panel of the custom IdP.

References

Connect a third-party IdP

If your enterprise uses one of the following IdPs to manage the organizational structure of the enterprise, you can connect the IdP to SASE: Lightweight Directory Access Protocol (LDAP), DingTalk, WeCom, Lark, and Identity as a Service (IDaaS).

• Connect an LDAP IdP to SASE

• Connect a DingTalk IdP to SASE

• Connect a WeCom IdP to SASE

• Connect a Lark IdP to SASE

• Connect an IDaaS IdP to SASE

Configure an IdP combination

If your enterprise wants to use multiple IdPs to manage its organizational structure, you can configure an IdP combination by using SASE. For more information, see Configure an IdP combination.

Configure a user group

For more information, see Configure a user group.