This topic describes how to integrate Alibaba Cloud IDaaS with DingTalk for inbound data synchronization. This integration enables synchronization management of organizational structures and users, improving the efficiency and security of enterprise identity management.
Scenarios
IDaaS uses the concept of an Identity Provider to manage the filter interaction between enterprise identity systems and IDaaS. As an Alibaba Cloud product, DingTalk is natively integrated with IDaaS. The configuration process for binding DingTalk is simple. You can complete the binding in about two minutes by scanning a QR code and granting authorization. This simple configuration enables the following features:
Categorization | Features |
Account |
|
Logon |
|
Application |
|
Two methods for binding DingTalk
From the IdPs menu, you can add DingTalk as an identity provider for IDaaS and enable all related features during the process.
IDaaS supports two methods for importing data from DingTalk:
Method | Description |
Third-party application method (Quickly bind DingTalk) | This method uses the DingTalk third-party enterprise application solution. You can complete the configuration by scanning a QR code to grant authorization. Pros: The configuration is simple and easy to enable. Note During the configuration process, you do not need to enter any information. You only need to scan a QR code and grant authorization to complete the configuration. Cons: You cannot obtain user mobile numbers and mailboxes in batches. The administrator must enter the information, or users must grant authorization during logon. |
First-party application method (DingTalk advanced configuration) | This method builds on the third-party application method. The DingTalk administrator needs to create a DingTalk first-party application, grant the corresponding permissions, and configure the information in IDaaS. Pros: Permissions are flexible, and you can obtain complete user information. Cons: The configuration period is long. |
Quickly bind DingTalk
From the Quick Start or IdPs menu, click Bind DingTalk to start the inbound binding process.
Step 1: Select a scenario
In the first step, select the scenario features you want to implement with DingTalk. If you have no preference, you can proceed to the next step.
Feature description
Sync Target: The DingTalk address book data is imported to this node in IDaaS.
Incremental Sync: When this feature is enabled, IDaaS calls the DingTalk API to listen for DingTalk address book events. If the DingTalk address book changes, the data is synchronized to IDaaS in real-time.
You can set a mapping identity in the field mapping. A field in an IDaaS account, such as the mobile number, is used to match a field for a DingTalk user, such as the mobile number. If a match is found, the IDaaS account is overwritten and updated. Otherwise, a new IDaaS account is created.
We recommend that you perform a full synchronization before an incremental synchronization. Otherwise, some data may fail to be synchronized.
If a single account fails to import, the import of other data is not affected.
You can view the failure information by clicking Logs.
Log on with DingTalk QR code: If you select this option, a QR Scan Sign-In method is created and enabled in the Sign-In menu. You can then log on by scanning the QR code.
Trigger a full sync: If you select this option, all data within the authorized scope of the DingTalk address book is imported after the binding is complete.
Step 2: Scan the QR code to enable the service
In the second step, ask the DingTalk administrator to scan the QR code to enable the free third-party application, Alibaba Cloud IDaaS, for the DingTalk enterprise.
After scanning the QR code in DingTalk, you are redirected to the application enablement page. Complete the enablement process.
After the binding is complete, to adjust the scope of the DingTalk address book to be synchronized to IDaaS, you can modify the settings in the Alibaba Cloud IDaaS application in the DingTalk Admin Console - Application Management. IDaaS uses the authorization scope of this application during synchronization.
Step 3: Scan the QR code to bind
In the third and final step, ask the DingTalk administrator to click the Scan to Bind button in the Alibaba Cloud IDaaS application. Then, scan the QR code provided in this step and confirm the operation to complete the binding. IDaaS will then perform a full or incremental synchronization based on your configuration, and DingTalk users can log on to IDaaS by scanning a QR code.
Manage the DingTalk identity provider
After you bind DingTalk, you are automatically redirected to the IdPs menu. Here, you can manage different features that have a filter interaction with the identity provider.
View the import status
Import prompt: If you selected Provisioning - Import Data to IDaaS when you bound DingTalk, the message In Progress is displayed on the page. You can click [View Details] to go to the Sync Task page and view the progress.
Handling missing mobile numbers or mailboxes: After the synchronization is complete, a prompt is displayed on the IdPs page. The imported accounts can be used to log on to IDaaS or applications by scanning a QR code in DingTalk. However, the newly imported accounts are missing mobile numbers or mailboxes. We recommend that users add their mobile numbers or mailboxes. Otherwise, related features such as two-factor authentication and password retrieval will be inactive. For more information, see Log on with DingTalk QR code.
Modify the sync target: If you modify the sync target, you must manually trigger a full synchronization afterward to verify that the organizational structure meets your expectations.
Log on with DingTalk QR code: If you selected QR Scan Sign-In - Enabled when you bound DingTalk, IDaaS creates a DingTalk QR code logon method in the Sign-In menu. You can manage this feature from the IdPs or Sign-In menu. Users can then go to the logon page and log on by scanning a QR code in DingTalk. For more information, see Log on with DingTalk QR code.
Bind multiple DingTalk address books: IDaaS lets you bind multiple DingTalk address books. To do this, a different DingTalk enterprise administrator must complete the QR code scanning and enablement procedure for each address book. When managing multiple enterprises, you may want to synchronize the accounts from different enterprises to different target nodes for differentiation. For example, to import the address books of DingTalk Enterprise A and Enterprise B into IDaaS for unified management, we recommend that you first create Organization A and Organization B under the root node of the IDaaS organizational structure. Then, when you bind each DingTalk enterprise, specify that Enterprise A is synchronized to Organization A and Enterprise B is synchronized to Organization B. However, a DingTalk enterprise can be bound to only one IDaaS instance. The ability to bind the same DingTalk enterprise to multiple IDaaS instances may be available in a future release.
Enable DingTalk advanced configuration
After you bind DingTalk, you can enable DingTalk advanced configuration on the identity provider page. After you enable advanced configuration, you can obtain complete DingTalk user information.
If you use DingTalk Enterprise and enable the exclusive account feature, IDaaS cannot obtain the mobile numbers associated with the exclusive accounts because of the security design of DingTalk Enterprise. To use mobile numbers, the administrator must add them in the console, or employees must manually add them in the application portal.
Step 1: Select a scenario
In the first step, no features are available for configuration. You can proceed to the next step.
Step 2: Create an application
In the second step, you need to enter the application information from DingTalk into IDaaS.
Log on to the DingTalk Open Platform - In-house Enterprise Development, click Create Application, and enter the basic information for the in-house enterprise application.
After the application is created, you are automatically redirected to the application product page in DingTalk. Copy the AppKey and AppSecret and then paste them into IDaaS.
After you enter the information, click Connect To DingTalk. IDaaS tests the connection with DingTalk. If the information is correct, you can proceed to the Next step.
Step 3: Assign permissions
In the third step, you need to assign permissions in the current DingTalk application. Click Permission Management, select all permissions under Address Book Management and Application Management, and then click Batch Request.
For the permission scope, select All Employees. To adjust the scope of the DingTalk address book to be synchronized to IDaaS, you can modify the settings in the Alibaba Cloud IDaaS application in the DingTalk Admin Console - Application Management. IDaaS uses the authorization scope of this application during synchronization.
After the authorization is complete, click the Complete Authorization button in IDaaS. IDaaS checks whether the application has the required DingTalk address book management permission. If the check passes, the configuration is complete. IDaaS can then obtain information such as employee mobile numbers and mailboxes.
If you want only IDaaS to be able to make requests to this DingTalk application, enter the Egress IP Address in the Security Settings on the DingTalk application page:
112.124.***.****,112.124.***.****,112.124.***.****,112.124.***.***,112.124.***.***,112.124.***.***,112.124.***.****,112.124.***.****,112.124.***.****,112.124.***.****Because this application is mainly used for data synchronization and not for daily use by employees, you can enter any address for the Application Homepage URL.
Step 4: Adjust field mappings (Optional)
If you want to use the mobile number and mailbox information from DingTalk as the username and mobile number for an IDaaS account, or bind a DingTalk user to an IDaaS account that has the same mobile number, you can configure these settings in Field Mappings.