Identity as a Service:DingTalk Enterprise SSO

1. Create an application

Go to Applications > Marketplace and search for the DingTalk Enterprise application. Select the application to add it.

After you add the application, you are automatically redirected to the SSO configuration page.

2. Configure SSO in IDaaS

IDaaS preconfigures all SSO settings for DingTalk Enterprise. You only need to adjust the following settings as needed:

1. Set Authorization Pattern to Implicit Mode and select the id_token checkbox. The Redirect URIs is set by default to:

   https://login.dingtalk.com/oauth2/oidcCallBack.htm

2. Set Authorization Scope to All Users. If only some employees in your organization need to use DingTalk Enterprise, select Manual. Then, manually grant permissions to accounts or organizations.

   

3. In the advanced configuration, the extended id_token must contain a key named sub. When a user uses SSO to log on to DingTalk Enterprise, DingTalk Enterprise matches the user's userid based on the sub value to complete the logon.

   

   The sub value can be configured in two ways:

   • Fixed field matching lets you match a field from an IDaaS account with the userid of a DingTalk Enterprise user. The value must be in the format user.{IDaaS field name}, such as user.userid or user.username. For more information, see Advanced Account Field Expressions. This applies to two scenarios:

     • Users synchronized from IDaaS: The value must be the same as the value of the DingTalk userid field in the field mappings of the DingTalk Enterprise identity provider.

     • Existing DingTalk Enterprise users: The userid of the DingTalk Enterprise user must be the same as the sub value.

   • Binding relationship matching: This method matches the DingTalk Enterprise user based on the binding relationship between the IDaaS account and the DingTalk Enterprise user. The value format is user.identityProviderUserMap.{idpId}.identityProviderUserId. You can obtain the idpId from the identity provider page. This applies to two scenarios:

     • Users synchronized from IDaaS: The IDaaS account and the DingTalk Enterprise user are already bound by default. No special action is required.

     • For existing users of DingTalk Enterprise: You can bind their accounts using identity mapping in the field mapping settings. After the accounts are bound, they can be used as normal. For more information, see Field Mapping.

3. Configure SSO in DingTalk Enterprise

Go to the DingTalk admin console and log on to the DingTalk Enterprise admin console.

Under Security and Permissions > Organization Code Logon, copy or request an organization code. Your users need this code to log on to DingTalk Enterprise. Set Logon Method to SSO Logon.

Under Security and Permissions > SSO Settings, enter the following information from the IDaaS application:

• Configuration Method: Select OIDC Protocol Authentication.

• Configuration Parameters: Obtain the following parameters from the IDaaS application that you created in Step 1 of this topic:

  • Client ID: Obtain the value from client_id in the general configuration.

  • Issuer: Obtain the value from Issuer under Logon Access > Single Sign-on > Application Configuration Information.

  • Authorization URL: Obtain the value from the authorization endpoint under Logon Access > Single Sign-on > Application Configuration Information.

  • OpenID Config URL: Obtain the value from the discovery endpoint under Logon Access > Single Sign-on > Application Configuration Information.

4. Test SSO

DingTalk Enterprise supports only SP-initiated SSO. For more information, see User logon steps.