Managing account lifecycles across multiple systems — onboarding employees, propagating profile changes, and revoking access on departure — is time-consuming and error-prone when done manually. IDaaS centralizes this by acting as the hub for account data: it can receive accounts from upstream identity providers (IdPs) like DingTalk or Active Directory (AD), and push accounts to downstream applications such as Alibaba Cloud services or your own apps.
Synchronization runs in two directions:
Inbound: Account data flows from external sources into IDaaS.
Outbound: Account data flows from IDaaS to external targets.
A single change in AD or DingTalk — a new hire, a role update, or a departure — propagates to every connected system through IDaaS.
Inbound synchronization
| Method | Source | Description |
|---|---|---|
| Synchronization from IdPs | IdPs | Supports DingTalk, WeCom, Lark, AD, and OpenLDAP. For non-standard IdPs such as self-developed Identity and Access Management (IAM) systems or HR systems, contact the IDaaS team to set up synchronization via the connector service. |
| Just-in-Time (JIT) Provisioning | Multiple | Accounts are synchronized to IDaaS on first login rather than in bulk. Supports OpenID Connect (OIDC) identity providers, including Okta and Azure AD. |
| File-based import | Unlimited | Import accounts from a CSV file. See Use a file to import or export data. |
| Developer API | Applications | Push account data from custom applications using Developer API operations. See the Developer API overview. |
| OpenAPI | Multiple | Import multiple accounts at a time using OpenAPI operations. See the OpenAPI overview. |
| SCIM (System for Cross-domain Identity Management) | Applications | Not supported for inbound sync. If your source system uses SCIM, use the Developer API or contact the IDaaS team about the connector service instead. |
Outbound synchronization
| Method | Destination | Description |
|---|---|---|
| Synchronization to IdPs | IdPs | Supports DingTalk (Standard DingTalk and Dedicated DingTalk). Outbound sync to AD, OpenLDAP, WeCom, and Lark is not supported. |
| File-based export | Unlimited | Export accounts to a CSV file. See Use a file to import or export data. |
| Data push to applications | Applications | IDaaS pushes account data to applications in three ways: event callbacks (see Synchronize accounts - IDaaS event callback), SCIM (see Sync accounts via SCIM), and pre-integrated marketplace applications with fixed API operations. |
| Data fetch from IDaaS | Applications | Applications call Developer API operations to retrieve multiple accounts and organizations at a time. See the Developer API overview. |