All Products
Search
Document Center

Secure Access Service Edge:Connect a DingTalk IdP to SASE

Last Updated:Nov 22, 2024

Secure Access Service Edge (SASE) issues identity-driven security policies. If an enterprise uses a DingTalk identity provider (IdP) to manage the organizational structure, the enterprise can connect the DingTalk IdP to SASE without the need to configure identity information about the users of the enterprise. After the enterprise connects the DingTalk IdP to SASE, the users of the enterprise can log on to the SASE client by using the same account system as the enterprise. This topic describes how to connect a DingTalk IdP to SASE.

Limits

You can enable only one IdP or one IdP combination. An IdP combination contains multiple IdPs. If an IdP or IdP combination is enabled, you must disable the IdP or IdP combination before you can enable another IdP or IdP combination.

Configure and enable a DingTalk IdP

  1. Log on to the SASE console. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.

  2. On the IdP Management page, click the IdP Management tab. On the tab, click Add IdP. In the Add IdP panel, set the Authentication Type parameter to Single IdP and select DingTalk from the Enterprise IdP drop-down list. Configure the following parameters to configure a DingTalk IdP. Then, click Connectivity Test.

    Parameter

    Description

    Configuration Name

    The name of the DingTalk IdP.

    The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), and underscores (_).

    Description

    The description of the IdP.

    The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.

    DingTalk Configuration

    • CorpId: the ID of the enterprise in DingTalk. Each enterprise has a unique enterprise ID.

      You can obtain the enterprise ID from the homepage of DingTalk Open Platform.

    • AppKey: the key of the application that is created on DingTalk Open Platform.

      You can obtain the AppKey of the application from the credentials and basic information page of the application on DingTalk Open Platform.

    • AppSecret: the secret of the application that is created on DingTalk Open Platform.

      You can obtain the AppSecret of the application from the credentials and basic information page of the application on DingTalk Open Platform.

    Advanced Settings

    DingTalk Type: Select DingTalk Standard or Dedicated DingTalk.

    Organizational Structure Synchronization: Select All Departments or Specific Departments.

    Note

    If you select Specific Departments, you must specify the IDs of the departments. You can add multiple departments.

    Event Subscription: After you configure event subscription, the organizational structure of users is synchronized to SASE. This ensures the timeliness of SASE security policies when the organizational structure is adjusted or specific users are resigned.

    • AES Encryption Key

      You can obtain the Advanced Encryption Standard (AES) encryption key from the event subscription page of the application that is created on DingTalk Open Platform.

    • Encryption Token

      You can obtain the encryption token from the event subscription page of the application that is created on DingTalk Open Platform.

    • Request URL: the request URL that is used to configure subscription management on DingTalk Open Platform.

      The subscribed events include Address Book User Added, Address Book User Changed, Address Book User Resignation, Address Book Enterprise Department Created, Address Book Enterprise Department Modified, and Address Book Enterprise Department Deleted.

    Application Homepage URL

    The value is fixed as https://login.aliyuncsas.com/ui/dingAuth/.

    The value is used to configure the homepage address of the application that is created on DingTalk Open Platform.

    Callback Domain Name

    The value is fixed as https://login.aliyuncsas.com/open-dev/dingtalk.

    The value is used to configure the callback domain name on DingTalk Open Platform.

    IdP Configuration Status

    Specifies whether to enable the IdP. Valid values:

    • Enabled: If no IdP is enabled, you can enable the created IdP.

    • Disabled: If another IdP is enabled, you can disable the created IdP. After you disable another IdP on the IdP Management tab, you can enable the created IdP.

      Important

      If you turn off IdP Configuration Status, users cannot access office applications by using the SASE client. Proceed with caution.

    Note

    If the Connection Failed message appears, check whether information such as the server address and the server port is valid.

  3. After the connectivity test succeeds, click OK.

Disable a DingTalk IdP

On the IdP Management tab, find the DingTalk IdP that you want to manage and turn off the switch in the Status column.

View the information about a DingTalk IdP

On the IdP Management tab, find the DingTalk IdP that you want to manage and click Details in the Actions column.

Delete a DingTalk IdP

On the IdP Management tab, find the DingTalk IdP that you want to manage and click Delete in the Actions column.

Modify the information about a DingTalk IdP

On the IdP Management tab, find the DingTalk IdP that you want to manage and click Edit in the Actions column.

References

Configure a SASE IdP

If your enterprise does not use a third-party IdP, you can establish an organizational structure by using a custom IdP provided by SASE. For more information, see Configure a SASE IdP.

Connect a third-party IdP

If your enterprise uses one of the following IdPs to manage the organizational structure of the enterprise, you can connect the IdP to SASE: Lightweight Directory Access Protocol (LDAP), DingTalk, WeCom, Lark, and Identity as a Service (IDaaS).

Configure an IdP combination

If your enterprise wants to use multiple IdPs to manage its organizational structure, you can configure an IdP combination by using SASE. For more information, see Configure an IdP combination.

Configure a user group

For more information, see Configure a user group.