All Products
Search
Document Center

Secure Access Service Edge:Connect an LDAP IdP to SASE

Last Updated:Dec 09, 2024

Secure Access Service Edge (SASE) issues identity-driven security policies. If an enterprise uses a Lightweight Directory Access Protocol (LDAP) identity provider (IdP) to manage the organizational structure, the enterprise can connect the LDAP IdP to SASE without the need to configure identity information about the users of the enterprise. After the enterprise connects the LDAP IdP to SASE, the users of the enterprise can log on to the SASE client by using the same account system as the enterprise. This topic describes how to connect an LDAP IdP to SASE.

Limits

You can enable only one IdP or one IdP combination. An IdP combination contains multiple IdPs. If an IdP or IdP combination is enabled, you must disable the IdP or IdP combination before you can enable another IdP or IdP combination.

Configure and enable a Windows AD or OpenLDAP IdP

  1. Log on to the SASE console. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.

  2. On the Identity Access page, click the IdP Management tab. On the tab, click Add IdP. In the Add IdP panel, set the Authentication Type parameter to Single IdP and the Enterprise IdP parameter to LDAP. Configure the following parameters for an LDAP IdP. Then, click Next.

    Parameter

    Description

    IdP Configuration Status

    Specifies whether to enable the IdP. Valid values:

    • Enabled: If no IdP is enabled, you can enable the created IdP.

    • Disabled: If another IdP is enabled, you can disable the created IdP. After you disable another IdP on the IdP Management tab, you can enable the created IdP.

      Important

      If you turn off IdP Configuration Status, users cannot access office applications by using the SASE client. Proceed with caution.

    Type

    The type of the directory service. Valid values:

    • Windows AD

    • OpenLDAP

    Configuration Name

    The name of the Active Directory (AD) or OpenLDAP IdP.

    The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), and underscores (_).

    Description

    The description of the IdP.

    The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.

    Server Address

    The address of the AD or OpenLDAP server.

    Server Port Number

    The port number of the AD or OpenLDAP server.

    Access Authentication Server from Connector

    If LDAP authentication is used for your internal network, you can connect to the LDAP authentication server from a connector. You must select a connector for which network connections are enabled. For more information about how to configure a connector, see Use a SASE connector.

    SSL Connection

    Specifies whether to enable SSL connections on the AD or OpenLDAP server. Valid values:

    • Yes: enables SSL connections. After you enable SSL connections, data on the AD or OpenLDAP server is encrypted for transmission to ensure data security.

    • No: disables SSL connections.

    Base DN

    The base distinguished name (DN) of the user to be authenticated. If you configure this parameter, SASE authenticates all accounts of the user node. The authenticated accounts can be used to log on to the SASE client. The value of this parameter must be 2 to 100 characters in length.

    Note

    If the user and the group to be authenticated do not belong to the same node, you must configure the User Base DN and Group Base DN in the Advanced Settings section.

    Organizational Structure Synchronization

    The DN and password of the administrator that are used to obtain the organizational structure from the IdP.

    Note

    After the configuration is complete, you can apply security policies in batches based on the organizational structure. During this process, the system does not read your user information.

  3. In the Attribute Configuration step, configure the parameters and click Next.

    You can configure attributes and filters to manage the access permissions of enterprise users in different groups.

    Parameter

    Description

    Logon Username Attribute

    Configure the logon username attribute to specify the format of the usernames of your enterprise users. You must define this attribute in your enterprise.

    You can select one of the following default username attributes: cn, name, givenName, displayName, userPrincipalName, and sAMAccountName. You can also enter another LDAP-defined attribute for the Logon Username Attribute parameter.

    Note

    userPrincipalName is a domain suffix. If you select userPrincipalName for the Logon Username Attribute parameter, an enterprise user must enter its domain suffix during logon. Example: user***@aliyundoc.com.

    Display User Name Attribute

    Configure the display username attribute to specify the format of the usernames of your enterprise users that are displayed on the SASE client. You must define this attribute in your enterprise. The display username is the account username.

    You can select one of the following default username attributes: cn, name, givenName, displayName, userPrincipalName, and sAMAccountName. You can also enter another LDAP-defined attribute for the Display User Name Attribute parameter.

    Group Name Attribute

    Configure the group name attribute to specify the format of the group names in your enterprise. You must define this attribute in your enterprise.

    You can select one of the following default username attributes: cn, name, and sAMAccountName. You can also enter another LDAP-defined attribute for the Group Name Attribute parameter.

    Group Mapping Attribute

    Configure the group mapping attribute to define the group to which the enterprise users belong. Default value: memberOf.

    Note

    This parameter is optional. If you want to configure this parameter, make sure that this parameter matches the value specified for the group mapping attribute in LDAP.

    Group Filter

    Specify a group filter to filter enterprise users in different groups so that you can manage the access permissions of the enterprise users by group.

    Examples of common LDAP filters:

    • (&(objectClass=organizationalUnit)(objectClass=organization)): searches for groups whose objectClass attribute matches organizationalUnit and organization.

    • (|(objectClass=organizationalUnit)(objectClass=organization)): searches for groups whose objectClass attribute matches organizationalUnit or organization.

    • (!(objectClass=organizationalUnit)): searches for groups whose objectClass attribute does not match organizationalUnit.

    For more information about LDAP matching rules, see LDAP Filters.

    User Filter

    Specify a user filter to search for one user or a type of users.

    Examples of common LDAP filters:

    • (&(objectClass=person)(objectClass=user)): searches for users whose objectClass attribute matches person and user.

    • (|(objectClass=person)(objectClass=user)): searches for users whose objectClass attribute matches person or user.

    • (!(objectClass=person)): searches for users whose objectClass attribute does not match person.

    For more information about LDAP matching rules, see LDAP Filters.

    Email Attribute

    Specify an email address attribute.

    Important

    The default attribute that is used to identify an email address in LDAP is email. Make sure that this attribute matches the value that is specified for the email address attribute in LDAP.

    Mobile Phone Number Attribute

    Specify a mobile phone number attribute.

    Important

    The default attribute that is used to identify a mobile phone number in LDAP is telephoneNumber. Make sure that this attribute matches the value that is specified for the mobile phone number attribute in LDAP.

  4. In the Logon Settings step, configure the parameters and click Logon Test.

    Parameter

    Description

    PC Logon Method

    Valid values: Logon with Account and Password and Password-free Logon.

    • If you select Logon with Account and Password, you can turn on Two-factor Authentication. Valid values:

      • OTP-based Authentication: If you select OTP-based Authentication, you must select at least one one-time password (OTP) mode. The following modes are supported:

        • Allow Tokens on SASE Mobile Client: The built-in OTPs of SASE are used. Users must install the SASE mobile client.

        • Allow Tokens on Third-party Applications: Make sure that clock synchronization on your OTP app works as expected. Common OTP apps, such as Alibaba Cloud App, are supported.

        • Allow Enterprise-owned Tokens: If you want to use the self-managed OTPs of your enterprise, contact technical support to perform the required configuration.

      • Verification Code-based Authentication: If you select Verification Code-based Authentication, make sure that each user in the IdP has a mobile phone number.

    • If you select Password-free Logon, users must download and log on to the SASE mobile client and scan the quick response (QR) code for authentication.

    Mobile Device Logon Method

    Valid values: Logon with Account and Password and Fingerprint or Face Recognition.

    • If you select Logon with Account and Password, you can turn on Two-factor Authentication. Valid values:

      • OTP-based Authentication: Before you can select OTP-based Authentication, you must select Allow Tokens on Third-party Applications or Allow Enterprise-owned Tokens for the OTP Mode parameter in the PC Logon Method section. Make sure that the OTP configurations for the SASE mobile client are the same as the OTP configurations for the SASE desktop client.

      • Verification Code-based Authentication: If you select Verification Code-based Authentication, make sure that each user in the IdP has a mobile phone number or email address.

    • If you select Fingerprint or Face Recognition, users must enter the usernames and passwords when they log on to the SASE mobile client for the first time.

    Note

    If the configurations are invalid, SASE displays the corresponding error. After you click Logon Test, the Failed to connect to the LDAP server. Contact the administrator message may be displayed. In this case, check whether the server address and port number are valid and whether the network is connected.

  5. After the test succeeds, click OK.

Disable an LDAP IdP

On the IdP Management tab, find the LDAP IdP that you want to manage and turn off the switch in the Status column.

View the information about an LDAP IdP

On the IdP Management tab, find the LDAP IdP that you want to manage and click Details in the Actions column.

Delete an LDAP IdP

On the IdP Management tab, find the LDAP IdP that you want to manage and click Delete in the Actions column.

Modify the information about an LDAP IdP

On the IdP Management tab, find the LDAP IdP that you want to manage and click Edit in the Actions column.

References

Configure a SASE IdP

If your enterprise does not use a third-party IdP, you can establish an organizational structure by using a custom IdP provided by SASE. For more information, see Configure a SASE IdP.

Connect a third-party IdP

If your enterprise uses one of the following IdPs to manage the organizational structure of the enterprise, you can connect the IdP to SASE: LDAP, DingTalk, WeCom, Lark, and Identity as a Service (IDaaS).

Configure an IdP combination

If your enterprise wants to use multiple IdPs to manage its organizational structure, you can configure an IdP combination by using SASE. For more information, see Configure an IdP combination.

Configure a user group

For more information, see Configure a user group.