Secure Access Service Edge:Secure Lark user access with Secure Access Service Edge

Scenarios

SASE helps you manage internal network access, Internet access, and office data for your enterprise employees to meet your daily security needs. If your enterprise uses Lark to manage user information, you can connect SASE with Lark. This allows enterprise users to log on to the SASE client directly with their Lark accounts. You no longer need to maintain a separate identity management system for SASE, which reduces user information maintenance costs.

Step 1: Create a custom Lark application

Before you connect Lark with SASE, you must create a custom application on the Lark Open Platform to obtain an App ID and an App Secret. These credentials are used for identity authentication when users log on to the SASE client with their Lark accounts.

1. Use your Lark administrator account to log on to the Feishu Open Platform.

2. Create a Create Custom App.

   1. On the Feishu Open Platform home page, click Create Custom App.

   2. In the Create Custom App dialog box, set the Name and Description for the Custom App and then click Create.

   3. In the navigation pane on the left, click Credentials & Basic Info. Configure the following settings and then click Save.

      • In the Credentials section, obtain the App ID and App Secret.

      • In the General info section, upload an application icon.

        Use the SASE icon as the Icon. The following figure shows the icon:

3. Configure security settings.

   1. Configure redirect URLs.

      Add the following redirect URLs: https://login.aliyuncsas.com/open-dev/feishu and https://login.aliyuncsas.com/ui/feishuAuth/.

      You can obtain the Redirect URL from the Identity synchronization page in the SASE console. When you add an identity source, set LdP to Lark.

   2. Configure an IP whitelist.

      Add an IP address whitelist. The Open Platform APIs accept calls only from origin requests that are sent from IP addresses in the whitelist. Requests from other sources are denied.

4. On the Permissions & Scopes page, configure the following permissions for the custom enterprise application.

   1. Add permissions manually: Click Add permission scopes to app. Select the required Tenant token scopes and User token scopes from the following list.

      Permission	Description
      contact:contact	Update address book
      contact:contact.base:readonly	Read basic information of address book
      contact:department.base:readonly	Read basic information of departments
      admin:app.info:readonly	Read basic information of applications
      contact:department.hrbp:readonly	Query department HRBP information
      contact:department.organize:readonly	Read organizational structure of address book departments
      event:ip_list	Get egress IPs for events
      contact:user.base:readonly	Read basic information of users
      contact:user.employee_id:readonly	Read user IDs
      contact:user.department:readonly	Read user organizational structure information
      contact:user.email:readonly	Read user email information
      contact:user.phone:readonly	Read user phone numbers

   2. Batch import permissions: Click Batch import/export scopes. On the Import tab, add the required permissions using the following content, and then click Next, Review New Scopes. You can also export the configured permissions on the Export tab.

      {
          "scopes": {
              "tenant": [
                  "admin:app.info:readonly",
                  "contact:department.organize:readonly",
                  "contact:department.base:readonly",
                  "contact:user.email:readonly",
                  "contact:user.phone:readonly",
                  "contact:user.employee_id:readonly",
                  "contact:user.base:readonly",
                  "contact:user.department:readonly",
                  "contact:contact.base:readonly"
              ],
              "user": [
                  "contact:department.organize:readonly",
                  "contact:department.base:readonly",
                  "contact:user.email:readonly",
                  "contact:user.phone:readonly",
                  "contact:user.employee_id:readonly",
                  "contact:user.base:readonly",
                  "contact:user.department:readonly",
                  "contact:contact.base:readonly"
              ]
          }
      }

5. On the Events & Callbacks page, configure subscription events for the custom enterprise application.

   1. Set Encrypt Key, Verification Token, and Request URL.

      You can obtain the request URL from the IdP Management page of the SASE console when you add an identity source and set the Enterprise IdP to Lark.

   2. Enable the following subscription events.

      The events include Department Created, Department Deleted, Department Info Changed, Employee Resigned, and Employee Info Changed. For more information about how to configure event subscriptions in Lark, see Event Subscriptions.

Step 2: Publish the custom application version and review the application

1. Create and publish a version of the custom enterprise application.

   1. Log on to the Feishu Open Platform with your Lark administrator account.

   2. In the navigation pane on the left, click Version Management &Release.

   3. On the Version Management &Release page, click Create a Version. Set the App version, Update Notes, Features, Scope changes, and Availability as required. Then, click Save.

      Set both Default Mobile App Feature and Default PC App Feature to Webpage.

      Note

      Users outside the availability scope cannot use this identity source to log on to the SASE client.

2. Review the application.

   1. Log on to the Lark Admin console with a Lark administrator account. In the top menu bar, choose Product Features > Admin Console.

   2. On the admin console page, click Enter Lark.

   3. On the Homepage, in the Application Management section, click Go To Review.

   4. On the Application Review page, click Review in the Actions column for the application that is pending review. Then click Approve.

      The configuration on the Lark developer platform takes about 10 minutes to take effect.

Step 3: Connect Secure Access Service Edge with Lark data

After you configure the data in Lark, connect SASE with Lark.

1. Log on to the Secure Access Service Edge console.

2. In the navigation pane on the left, choose Identity Authentication > Identity Access.

3. On the Identity synchronization tab, click Create IdP.

4. In the Create IdP panel, select Lark, and then click Configure. Follow the wizard to complete the configuration.

5. In the Basic Configurations wizard, configure the parameters as described in the following table.

   Parameter	Description
   IdP Name	Enter a custom name for the identity source. The name must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
   Description	Enter a description for the configuration. The description is displayed as the logon title in the SASE client to help you identify the identity source.
   IdP Status	Configure the status for the identity source. The valid values are: Enabled: The identity source is enabled after it is created. Closed: The identity source is disabled after it is created. Important If you disable an identity source, end users cannot use the SASE app to access internal applications. Proceed with caution.
   App ID	The application ID of the custom application on the Lark platform.
   App Secret	The application secret of the custom application on the Lark platform.
   Advanced Settings > Event Subscription	After you configure event subscriptions, the organizational structure of your enterprise employees is synchronized to SASE. This ensures that SASE security policies remain effective when the organizational structure is adjusted or employees resign. Encrypt Key You can obtain this value from the Feishu Open Platform Address Book Sync page. Verification Token You can obtain this value from the Address Book Synchronization page of the target application on the Feishu Open Platform. Request URL: This value is used to configure the redirection URL in the Feishu Open Platform. Subscribed events: Department Created, Department Deleted, Department Info Changed, Employee Resigned, Employee Info Changed.
   Redirect URL	Static field: https://login.aliyuncsas.com/open-dev/feishu. This value is used to configure the redirection URL under Feishu Open Platform > Developer Console > Custom App > Security Settings.
   Automatic Synchronization	If you enable Automatic Synchronization, the system automatically synchronizes information from Lark based on the synchronization mode. If you do not enable Automatic Synchronization, you must manually synchronize the organizational structure. For more information, see Connect an LDAP IdP to SASE.
   Synchronize User Information	If you enable Synchronize User Information, the system automatically synchronizes employee information from Lark based on the Automatic Synchronization Cycle. Note If the Automatic Synchronization feature is disabled, the Synchronize User Information feature is not executed.
   Automatic Synchronization Cycle	Set the Automatic Synchronization Cycle. You can set the interval from 1 hour to 24 hours.

6. Click Connectivity Test. After the test is successful, click Next.

   Note

   If the Connection Failed message is displayed, verify that the information you entered is correct.

7. In the Synchronization Settings wizard, configure the synchronization scope and field mappings for the organizational structure. Then, click Confirm.

   Parameter	Description
   Organizational Structure Synchronization	Configure the scope for synchronizing the organizational structure. Synchronize All: Synchronizes the entire organizational structure from Lark to the SASE system. Partially Synchronize: Select the organizational structure to synchronize.
   Field Synchronization Mapping	Configure the mapping between Lark organizational structure fields and SASE synchronization fields. Note If the built-in Local Field After Mapping in the SASE system do not meet your business requirements, click View Extended Fields in the upper-right corner of the list. In the View Extended Fields panel, you can add, edit, or delete extended fields.

Step 4: Verify the connection

After the connection is established, your enterprise users can log on to SASE with their Lark accounts.

1. Open the installed SASE app.

2. Enter the enterprise verification ID and click OK.

   You can log on to the Secure Access Service Edge console. In the navigation pane on the left, on the Settings page, obtain the Enterprise Authentication Identifier.

3. Enter your Lark account and password, and click Log On or Scan QR Code To Log On.

   • If the logon is successful, the connection is established.

   • If the logon fails, handle the failure based on the returned message.

     • If an error message is returned, see Generic error codes for a solution. For example, error code 40004 indicates that the application does not have the required department permissions. In this case, you must modify the application's visibility scope.

     • If a prompt message is returned that indicates you do not have application permissions, you must log on with a super administrator account and modify the application's visibility scope.