Connect DingTalk to IDaaS as an identity provider (IdP) to sync your organization's users and structure into IDaaS, enable QR code logon, and set up single sign-on (SSO) from the DingTalk Workbench—all in about two minutes using a QR code scan.
What this integration enables
Once bound, the DingTalk integration covers three areas:
| Area | Capabilities |
|---|---|
| Account | Sync the entire DingTalk address book to IDaaS; listen for address book changes and sync incrementally in real time; sync data back to DingTalk (outbound) |
| Logon | Let users log on to IDaaS or its applications by scanning a QR code in DingTalk |
| Application | Implement SSO to applications in IDaaS from the DingTalk Workbench; automatically creating applications in the DingTalk Workbench for SSO to IDaaS is not supported |
Choose a binding method
IDaaS supports two methods for importing data from DingTalk. Choose based on whether you need complete user profile data (including mobile numbers and mailboxes).
| Method | How it works | Pros | Cons |
|---|---|---|---|
| Third-party application method (quick bind) | Scan a QR code to authorize a DingTalk third-party enterprise application | Simple to set up—no manual input required | Cannot retrieve mobile numbers and mailboxes in bulk; users must grant access during logon, or the admin must enter the information manually |
| First-party application method (advanced configuration) | Create a DingTalk first-party application, grant permissions, and enter credentials into IDaaS | Full user profile data, flexible permissions | Longer setup time |
Start with the third-party method to get connected quickly. Switch to or add advanced configuration later if you need complete user data.
Quickly bind DingTalk
From Quick Start or the IdPs menu, click Bind DingTalk.
Prerequisites
Before you begin, ensure that you have:
A DingTalk enterprise administrator account with permission to scan QR codes and grant authorization
Step 1: Select scenarios
Select the features to activate for this DingTalk integration. If none apply yet, proceed to the next step.
| Feature | What it does |
|---|---|
| Sync Target | Sets the IDaaS node where DingTalk address book data is imported |
| Incremental Sync | Calls the DingTalk API to listen for address book changes and syncs them to IDaaS in real time. Uses field mapping to match a DingTalk user to an existing IDaaS account (for example, by mobile number); if a match is found, the IDaaS account is updated; otherwise, a new account is created. |
| Log on with DingTalk QR code | Creates and enables a QR Scan Sign-In method in the Sign-In menu |
| Trigger a full sync | Imports all data within the authorized DingTalk address book scope immediately after binding completes |
Run a full synchronization before enabling incremental synchronization. If you enable incremental synchronization first, some data may not sync correctly. A failed import for one account does not affect other accounts. Click Logs to view failure details.
Step 2: Enable the IDaaS application in DingTalk
Ask the DingTalk administrator to scan the QR code shown on this page. This enables the free third-party application Alibaba Cloud IDaaS for the DingTalk enterprise. Follow the prompts on the DingTalk application enablement page to complete the process.
After binding, to adjust which parts of the DingTalk address book are synced to IDaaS, update the scope settings for the Alibaba Cloud IDaaS application in the DingTalk Admin Console - Application Management. IDaaS uses the authorization scope of this application during synchronization.
Step 3: Scan to complete the binding
In the Alibaba Cloud IDaaS application in DingTalk, click Scan to Bind
After this step, IDaaS runs a full or incremental synchronization based on your configuration in Step 1. DingTalk users can then log on to IDaaS by scanning a QR code.
Manage the DingTalk identity provider
After binding, IDaaS redirects you to the IdPs menu where you can manage the integration.
View import status
If you selected Provisioning - Import Data to IDaaS, the page shows In Progress. Click View Details to open the Sync Task page and track progress.
After synchronization completes, a prompt appears on the IdPs page. Imported accounts can log on via DingTalk QR code scan, but they may be missing mobile numbers or mailboxes. Without this information, two-factor authentication and password retrieval are unavailable. Ask users to add their mobile numbers or mailboxes. For details, see Log on with DingTalk QR code.
Modify the sync target
If you change the sync target, manually trigger a full synchronization afterward to verify the organizational structure reflects the update.
Manage DingTalk QR code logon
If you selected QR Scan Sign-In - Enabled during binding, IDaaS creates a DingTalk QR code logon method in the Sign-In menu. Manage it from either the IdPs or Sign-In menu. For details, see Log on with DingTalk QR code.
Bind multiple DingTalk address books
IDaaS supports binding multiple DingTalk enterprise address books. Each enterprise requires its own DingTalk administrator to complete the QR code scan and enablement steps.
To keep accounts from different enterprises separate, create distinct organizational nodes in IDaaS before binding. For example, create Organization A and Organization B under the root node, then map each DingTalk enterprise to its corresponding node during binding.
Each DingTalk enterprise can be bound to only one IDaaS instance. Support for binding the same DingTalk enterprise to multiple IDaaS instances may be added in a future release.
Enable DingTalk advanced configuration
After the quick bind is complete, enable advanced configuration on the identity provider page to retrieve complete DingTalk user profiles, including mobile numbers and mailboxes.
If your organization uses DingTalk Enterprise with the exclusive account feature enabled, IDaaS cannot retrieve mobile numbers for exclusive accounts due to DingTalk's security design. The admin must add these numbers manually in the console, or employees can add them in the application portal.
Prerequisites
Before you begin, ensure that you have:
Completed the quick bind steps
A DingTalk administrator account with access to the DingTalk Open Platform
Step 1: Select a scenario
No features are available for configuration in this step. Proceed to the next step.
Step 2: Create a DingTalk application and connect it to IDaaS
Log on to the DingTalk Open Platform - In-house Enterprise Development.
Click Create Application and fill in the basic information for the in-house enterprise application.
After the application is created, copy the AppKey and AppSecret from the application page.
Paste the AppKey and AppSecret into IDaaS.
Click Connect To DingTalk. IDaaS tests the connection. If the credentials are valid, the Next button becomes available.
Step 3: Assign address book permissions
In the DingTalk application, click Permission Management.
Under Address Book Management and
Set the permission scope to All Employees. To adjust the scope of the DingTalk address book to be synchronized to IDaaS, modify the settings in the Alibaba Cloud IDaaS application in the DingTalk Admin Console - Application Management. IDaaS uses the authorization scope of this application during synchronization.
Back in IDaaS, click Complete Authorization
To restrict this DingTalk application to IDaaS requests only, add the following IP addresses to Security Settings > Egress IP Address in the DingTalk application:
112.124.***.****,112.124.***.****,112.124.***.****,112.124.***.***,112.124.***.***,112.124.***.***,112.124.***.****,112.124.***.****,112.124.***.****,112.124.***.****Because this application is used only for data synchronization, enter any value for Application Homepage URL.
Step 4: Adjust field mappings (optional)
Configure Field Mappings to use the DingTalk mobile number or mailbox as the IDaaS account username or mobile number, or to match a DingTalk user to an existing IDaaS account that shares the same mobile number.
Best practices
Run full synchronization before incremental synchronization. Enabling incremental synchronization without a prior full sync may result in missing data.
Separate enterprises into distinct organizational nodes. When binding multiple DingTalk enterprises, create a dedicated node for each under the IDaaS root before binding. This prevents accounts from different enterprises from merging.
Prompt users to add mobile numbers and mailboxes after import. Accounts imported without this data cannot use two-factor authentication or password retrieval.
Use advanced configuration when complete user data is required. The quick bind method cannot retrieve mobile numbers and mailboxes in bulk. Switch to advanced configuration when you need this information.
Troubleshooting
Users are missing mobile numbers or mailboxes after synchronization. This is expected when using the quick bind (third-party application) method. The third-party application cannot retrieve this data in bulk. To get complete user profiles, enable DingTalk advanced configuration. Alternatively, ask users to add their mobile numbers and mailboxes manually after logging on.
Incremental synchronization is not picking up all changes. Run a full synchronization first to establish a baseline. Incremental synchronization only captures changes from the point it was enabled. To trigger a full synchronization manually, go to the IdPs page and initiate sync from there.
A DingTalk enterprise cannot be bound—it appears to be already connected. Each DingTalk enterprise can be bound to only one IDaaS instance. If the enterprise is already bound to another instance, remove that binding before connecting it to the current instance.
After changing the sync target, the organizational structure looks incorrect. Changing the sync target does not automatically re-sync existing data. Trigger a full synchronization manually after updating the sync target to rebuild the organizational structure.
What's next
Bind IDaaS to DingTalk - outbound: Push IDaaS data back to DingTalk
Log on with DingTalk QR code: Configure and manage the QR code logon method
Field Mappings: Map DingTalk user attributes to IDaaS account fields