This topic describes how to use IDaaS to sync account and organization data from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) to DingTalk Enterprise and log on with an AD, LDAP, or IDaaS account.
Scenarios
If you already use DingTalk Enterprise, you can use the standard features of the public cloud version of IDaaS EIAM (Cloud Identity Service) to implement the following scenarios:
Data synchronization: Sync account and organization data from sources such as AD and LDAP to DingTalk Enterprise. This automatically updates the DingTalk address book and ensures data consistency between upstream and downstream systems.
Single sign-on (SSO): Log on to DingTalk Enterprise with an AD, LDAP, or IDaaS account. You must enable the enterprise account module in DingTalk Enterprise.
Logon-free application access: Extend the logon-free access feature of DingTalk. You can quickly integrate applications supported by IDaaS into the DingTalk workbench to enable logon-free access.
In addition, the private version of IDaaS EIAM can address more advanced product or service requirements, such as:
Deep integration with DingTalk Enterprise: This refers to deeper integration with the identity system of DingTalk Enterprise. For example, you can link logon statuses, passwords, and roles, or use Kerberos or an API for authentication.
Complex identity management: If you use multiple identity systems, such as Human Resources (HR), Office Automation (OA), or Identity and Access Management (IAM), you need to systematically organize and manage them to address complex identity management scenarios.
Other requirements: These include custom product features, full delivery services, deployment to an internal network, or connecting to an internal network through a zero trust component.
Flow description
When you log on to DingTalk Enterprise with an AD, LDAP, or IDaaS account, DingTalk Enterprise acts as an IDaaS application. Users log on to DingTalk Enterprise using their IDaaS accounts. Therefore, you can still use IDaaS authentication features, such as multiple logon methods, two-factor authentication, password policies, and logon pages. The following flow uses AD as an example.
Administrator procedure
The following procedure applies to the public cloud version of IDaaS EIAM (Cloud Identity Service).
Before you begin, you must create an IDaaS instance. For more information, see Activate an instance for free.
1. Sync existing identity data to IDaaS
If you use an identity provider that is supported by IDaaS by default, you can configure the settings on the user interface (UI) to sync upstream identity data with IDaaS.
To sync AD data to IDaaS, see Attach AD.
To sync OpenLDAP data to IDaaS, see Attach OpenLDAP.
If you use HR, OA, IAM, or self-built applications, you can choose a solution based on your requirements.
If you want to develop the integration yourself, you can use the Developer API for IDaaS applications to directly import identity data into IDaaS. For more information, see Developer API for applications.
If you want the IDaaS team to handle the integration, two private deployment solutions are available.
Private deployment of the synchronization component: If you have a simple identity system, you can use the IDaaS synchronization component, the connector. After you deploy this component privately to your internal network, you can sync data to IDaaS.
Private deployment of IDaaS: If you have a complex identity system that requires systematic organization and administration, you can use the private version of IDaaS. This version supports deep and flexible identity control capabilities and custom development.
2. Sync IDaaS identity data to DingTalk Enterprise
After you sync identity data from IDaaS to DingTalk Enterprise, you can link your enterprise's upstream identity data, such as data from AD or LDAP, with the address book data in DingTalk Enterprise. This ensures that changes are synchronized across all systems.
To sync IDaaS data to DingTalk Enterprise, see Attach DingTalk - Outbound.
When you attach DingTalk for outbound synchronization, note the following points when you configure DingTalk Enterprise:
When you create the application, select DingTalk Enterprise as the DingTalk version.
In the Field Mapping step, the
useridfield for DingTalk users is used for logging on to DingTalk Enterprise. Set the field value to the IDaaS userId or username. For more information, see Step 3 of this topic.
3. Create an IDaaS application
IDaaS provides a pre-integrated DingTalk Enterprise application. You can complete the SSO configuration for DingTalk Enterprise in a few simple steps.
For more information, see DingTalk Enterprise SSO.
4. Set the logon method
In the logon settings for your IDaaS instance, you can set different logon methods, such as AD, LDAP, IDaaS account and password, or IDaaS text message verification code. You can also set two-factor authentication policies and password policies. For more information, see General configuration, Two-factor authentication, and Password policy.
The DingTalk logon method option is hidden on the DingTalk mobile app.
If you want users to log on with their AD or LDAP accounts, you can customize the settings for the AD or LDAP identity provider. You can use fields such as userPrincipalName, sAMAccountName, uid, or mail as the logon name. For more information, see AD custom configuration and LDAP custom configuration.
You can also customize the IDaaS logon page. This page is displayed when users log on to DingTalk Enterprise. For more information, see Enterprise information.
User logon procedure
After the administrator completes the preceding steps, users can log on to DingTalk Enterprise with their AD, LDAP, or IDaaS accounts. This logon method is available on the DingTalk PC client, mobile app, and web client. This section uses the DingTalk PC client as an example to demonstrate the logon flow.
1. Click Log on with Enterprise Account
Open the DingTalk PC client and click Log On With Enterprise Account.
2. Enter the organization code
Enter the organization code and click Next. You are redirected to the IDaaS logon page. Information on how to obtain the organization code is displayed below the button.
3. Enter the account and password
On the IDaaS logon page, enter the account and password. The administrator can set the default logon method. By default, users log on with their enterprise AD account and password. You can also switch to other logon methods. After you click Log On, you must complete two-factor authentication for IDaaS.
4. Attach a mobile number
When you log on for the first time, you must attach a mobile number in DingTalk Enterprise. After the mobile number is attached, you can access the DingTalk Enterprise interface and use its features.