All Products
Search

This Product

    Secure Access Service Edge:Connect an IDaaS IdP to SASE

    Document Center

    Secure Access Service Edge:Connect an IDaaS IdP to SASE

    Last Updated:Nov 22, 2024

    Secure Access Service Edge (SASE) issues identity-driven security policies. If an enterprise uses an Identity as a Service (IDaaS) identity provider (IdP) to manage the organizational structure, the enterprise can connect the IDaaS IdP to SASE without the need to configure identity information about the users of the enterprise. After the enterprise connects the IDaaS IdP to SASE, the users of the enterprise can log on to the SASE client by using the same account system as the enterprise. This topic describes how to connect an IDaaS IdP to SASE.

    Limits

    You can enable only one IdP or one IdP combination. An IdP combination contains multiple IdPs. If an IdP or IdP combination is enabled, you must disable the IdP or IdP combination before you can enable another IdP or IdP combination.

    Configure an IDaaS IdP

    1. Log on to the SASE console. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.

    2. On the IdP Management page, click the IdP Management tab. On the tab, click Add IdP. In the Add IdP panel, set the Authentication Type parameter to Single IdP and select IDaaS from the Enterprise IdP drop-down list. Then, configure an IDaaS IdP based on your IDaaS version. Click OK.

      Parameters to configure an IdP of the IDaaS New Version type

      Parameter

      Description

      Configuration Name

      The name of the IDaaS IdP.

      The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), and underscores (_).

      Description

      The description of the IdP.

      The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.

      SAML Metadata File

      The Security Assertion Markup Language (SAML) metadata file. The file is automatically generated by IDaaS on the SSO tab when you create a SASE application.

      Grant Read Permissions on Organizational Structure

      Specifies whether to grant SASE the permissions to read the information about the organizational structure. Valid values:

      • Yes: If you select this option, you must configure the following fields that are used to call the IDaaS API:

        • Instance ID: the ID of the IDaaS Enterprise Identity Access Management (EIAM) instance of the new version.

        • Application ID:the ID of the SASE application that is added to the IDaaS EIAM instance of the new version.

        • client_id: the API authentication ID, which is automatically generated by IDaaS on the General tab when you create the SASE application.

        • client_secret: the API authentication secret, which is automatically generated by IDaaS on the General tab when you create the SASE application.

        • Public Key Endpoint: the endpoint that is automatically generated by IDaaS on the Provisioning tab when you create the SASE application.

        • URL for Receiving Synchronization Requests: Copy and paste this URL to the URL for Receiving Synchronization Requests parameter of the SASE application in the IDaaS console.

        • Encryption/Decryption Key: the key that is automatically generated by IDaaS on the Provisioning tab when you create the SASE application.

          Note

          After the configuration is complete, you can apply security policies in batches based on the organizational structure. During this process, the system does not read your user information.

      • No: If you select this option, the permissions to read the information about the organizational structure are not granted to SASE.

      IdP Configuration Status

      Specifies whether to enable the IdP. Valid values:

      • Enabled: If no IdP is enabled, you can enable the created IdP.

      • Disabled: If another IdP is enabled, you can disable the IdP. After you disable another IdP on the IdP Management tab, you can enable the created IdP.

        Important

        If you turn off IdP Configuration Status, users cannot access office applications by using the SASE client. Proceed with caution.

      Parameters to configure an IdP of the IDaaS Old Version type

      Parameter

      Description

      Configuration Name

      The name of the IDaaS IdP.

      The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), and underscores (_).

      Description

      The description of the IdP.

      The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.

      SAML Metadata File

      The SAML metadata file. The file is automatically generated by IDaaS when you create an SAML application.

      Grant Read Permissions on Organizational Structure

      Specifies whether to grant SASE the permissions to read the information about the organizational structure. Valid values:

      • Yes: If you select this option, you must configure the API Key and API Secret fields that are used to call the IDaaS API.

        Note

        After the configuration is complete, you can apply security policies in batches based on the organizational structure. During this process, the system does not read your user information.

      • No: If you select this option, the permissions to read the information about the organizational structure are not granted to SASE.

      SP Entity ID

      The ID of the business system entity. The value is fixed as https://saml-csas.aliyuncs.com/saml/metadata.

      SP ACS URL

      The URL that the business system uses to receive SAML requests. The value is fixed as https://saml-csas.aliyuncs.com/saml/acs.

      IdP Configuration Status

      Specifies whether to enable the IdP. Valid values:

      • Enabled: If no IdP is enabled, you can enable the created IdP.

      • Disabled: If another IdP is enabled, you can disable the IdP. After you disable another IdP on the IdP Management tab, you can enable the created IdP.

        Important

        If you turn off IdP Configuration Status, users cannot access office applications by using the SASE client. Proceed with caution.

      Attribute Configuration

      You cannot change the values of the fields in this section.

    Disable an IDaaS IdP

    On the IdP Management tab, find the IDaaS IdP that you want to manage and turn off the switch in the Status column.

    View the information about an IDaaS IdP

    On the IdP Management tab, find the IDaaS IdP that you want to manage and click Details in the Actions column.

    Delete an IDaaS IdP

    On the IdP Management tab, find the IDaaS IdP that you want to manage and click Delete in the Actions column.

    Modify the information about an IDaaS IdP

    On the IdP Management tab, find the IDaaS IdP that you want to manage and click Edit in the Actions column.

    References

    Configure a SASE IdP

    If your enterprise does not use a third-party IdP, you can establish an organizational structure by using a custom IdP provided by SASE. For more information, see Configure a SASE IdP.

    Connect a third-party IdP

    If your enterprise uses one of the following IdPs to manage the organizational structure of the enterprise, you can connect the IdP to SASE: Lightweight Directory Access Protocol (LDAP), DingTalk, WeCom, Lark, and IDaaS.

    Configure an IdP combination

    If your enterprise wants to use multiple IdPs to manage its organizational structure, you can configure an IdP combination by using SASE. For more information, see Configure an IdP combination.

    Configure a user group

    For more information, see Configure a user group.