Secure Access Service Edge:Secure Lark user access with Secure Access Service Edge

Prerequisites

Before you begin, ensure that you have:

• SASE enabled and the SASE client installed on end-user devices. For more information, see Billing overview of Secure Access Service Edge.

• A Lark administrator account on the Feishu Open Platform to create and configure the custom application.

• A Lark enterprise administrator account on the Lark Admin console to approve the application.

• Access to the Secure Access Service Edge console to configure the Identity Provider (IdP).

The Feishu Open Platform information in this topic is for reference only. For authoritative guidance, see the official Lark documentation.

Step 1: Create a custom Lark application

Create a custom application on the Feishu Open Platform to get the App ID and App Secret that SASE uses to authenticate users.

1. Log on to the Feishu Open Platform with your Lark administrator account.

2. Click Create Custom App.

3. In the Create Custom App dialog box, enter the Name and Description for the application, then click Create.

4. In the left navigation pane, click Credentials & Basic Info, then configure the following:

   • In the Credentials section, copy the App ID and App Secret. You will enter these values in the SASE console in Step 3.

   • In the General info section, upload the SASE icon as the application icon:

5. Configure security settings. Redirect URLs: Add both of the following redirect URLs: IP whitelist: Add an IP address whitelist. The Feishu Open Platform API accepts calls only from IP addresses in the whitelist and rejects all other requests.

   • https://login.aliyuncsas.com/open-dev/feishu

   • https://login.aliyuncsas.com/ui/feishuAuth/

   You can also find these redirect URLs in the SASE console. Go to Identity Authentication > Identity Access, open the Identity synchronization tab, click Create IdP, and set LdP to Lark.

6. On the Permissions & Scopes page, grant the required permissions to the application. Choose one of the following methods: Option A — Add permissions manually Click Add permission scopes to app, then select the following scopes under Tenant token scopes and User token scopes: Option B — Batch import permissions Click Batch import/export scopes. On the Import tab, paste the following JSON, then click Next, Review New Scopes:

   Permission	Description
   contact:contact	Update address book
   contact:contact.base:readonly	Read basic information of address book
   contact:department.base:readonly	Read basic information of departments
   admin:app.info:readonly	Read basic information of applications
   contact:department.hrbp:readonly	Query department HRBP information
   contact:department.organize:readonly	Read organizational structure of address book departments
   event:ip_list	Get egress IPs for events
   contact:user.base:readonly	Read basic information of users
   contact:user.employee_id:readonly	Read user IDs
   contact:user.department:readonly	Read user organizational structure information
   contact:user.email:readonly	Read user email information
   contact:user.phone:readonly	Read user phone numbers

   {
       "scopes": {
           "tenant": [
               "admin:app.info:readonly",
               "contact:department.organize:readonly",
               "contact:department.base:readonly",
               "contact:user.email:readonly",
               "contact:user.phone:readonly",
               "contact:user.employee_id:readonly",
               "contact:user.base:readonly",
               "contact:user.department:readonly",
               "contact:contact.base:readonly"
           ],
           "user": [
               "contact:department.organize:readonly",
               "contact:department.base:readonly",
               "contact:user.email:readonly",
               "contact:user.phone:readonly",
               "contact:user.employee_id:readonly",
               "contact:user.base:readonly",
               "contact:user.department:readonly",
               "contact:contact.base:readonly"
           ]
       }
   }

   To export the permissions you configured, use the Export tab.

7. On the Events & Callbacks page, configure event subscriptions so SASE stays in sync when your organizational structure changes. Set the Encrypt Key, Verification Token, and Request URL: Enable the following subscription events: Department Created, Department Deleted, Department Info Changed, Employee Resigned, and Employee Info Changed. For more information about configuring event subscriptions in Lark, see Event Subscriptions.

   • Request URL: Get this value from the SASE console. Go to Identity Authentication > Identity Access > IdP Management, click to add an identity source, and set Enterprise IdP to Lark. Copy the displayed request URL.

Step 2: Publish and approve the application

1. Log on to the Feishu Open Platform with your Lark administrator account.

2. In the left navigation pane, click Version Management & Release.

3. Click Create a Version, fill in the App version, Update Notes, Features, Scope changes, and Availability, then click Save. Set both Default Mobile App Feature and Default PC App Feature to Webpage.

   Important

   Users outside the configured availability scope cannot use this identity source to log on to the SASE client.

4. Approve the application in the Lark Admin console:

   1. Log on to the Lark Admin console with a Lark enterprise administrator account. In the top menu bar, choose Product Features > Admin Console.

   2. Click Enter Lark.

   3. On the Homepage, in the Application Management section, click Go To Review.

   4. On the Application Review page, find the pending application, click Review in the Actions column, then click Approve.

The Lark developer platform configuration takes about 10 minutes to take effect after approval.

Step 3: Connect SASE with Lark

1. Log on to the Secure Access Service Edge console.

2. In the left navigation pane, choose Identity Authentication > Identity Access.

3. On the Identity synchronization tab, click Create IdP.

4. In the Create IdP panel, select Lark, then click Configure.

5. In the Basic Configurations wizard, set the parameters described in the following table, then click Connectivity Test.

   If the Connectivity Test fails, verify that the information you entered is correct.

   Parameter	Description
   IdP Name	A custom name for this identity source. Must be 2–100 characters and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
   Description	A description displayed as the logon title in the SASE client to help users identify the identity source.
   IdP Status	Enabled: the identity source is active after creation. Closed: the identity source is disabled after creation. Disabling an identity source prevents end users from accessing internal applications through the SASE app — proceed with caution.
   App ID	The App ID of the custom application you created on the Feishu Open Platform (obtained in Step 1).
   App Secret	The App Secret of the custom application on the Feishu Open Platform (obtained in Step 1).
   Advanced Settings > Event Subscription > Encrypt Key	Get this value from the Address Book Sync page on the Feishu Open Platform.
   Advanced Settings > Event Subscription > Verification Token	Get this value from the Address Book Synchronization page of your application on the Feishu Open Platform.
   Advanced Settings > Event Subscription > Request URL	Use this value to configure the redirection URL in the Feishu Open Platform. Subscribed events: Department Created, Department Deleted, Department Info Changed, Employee Resigned, Employee Info Changed.
   Redirect URL	Static value: https://login.aliyuncsas.com/open-dev/feishu. Enter this URL in the Feishu Open Platform under Developer Console > Custom App > Security Settings.
   Automatic Synchronization	When enabled, SASE automatically syncs organizational structure from Lark. When disabled, you must manually trigger synchronization. For more information, see Connect an LDAP IdP to SASE.
   Synchronize User Information	When enabled, SASE automatically syncs employee information from Lark on the configured cycle. Requires Automatic Synchronization to be enabled.
   Automatic Synchronization Cycle	The synchronization interval. Configurable from 1 hour to 24 hours.

6. After the connectivity test succeeds, click Next.

7. In the Synchronization Settings wizard, configure the organizational structure scope and field mappings, then click Confirm.

   Parameter	Description
   Organizational Structure Synchronization	Synchronize All: syncs the entire organizational structure from Lark. Partially Synchronize: select specific departments or groups to sync.
   Field Synchronization Mapping	Map Lark fields to the corresponding SASE fields. To add custom fields, click View Extended Fields in the upper-right corner of the list.

Step 4: Verify the connection

1. Open the SASE app on a user device.

2. Enter the enterprise verification ID and click OK. To find the enterprise verification ID, log on to the Secure Access Service Edge console, go to Settings in the left navigation pane, and copy the Enterprise Authentication Identifier.

3. Enter the Lark account credentials and click Log On, or use Scan QR Code To Log On.

If the log on succeeds, the integration is working correctly.

Troubleshooting