All Products
Search

This Product

    Identity as a Service:Connect to DingTalk - Outbound

    Document Center

    Identity as a Service:Connect to DingTalk - Outbound

    Last Updated:Feb 27, 2026

    This topic describes how to connect Alibaba Cloud IDaaS to DingTalk for outbound data synchronization. The process includes creating an application, assigning permissions, selecting a synchronization scenario, and configuring field mapping to ensure seamless integration.

    Quickly connect to DingTalk

    In the Quick Start or Identity Provider menu, click Outbound > Bind DingTalk to start the Quick Bind DingTalk - Outbound flow.

    Step 1: Create an application

    1. Enter basic information.

      1. Display Name: This name may be visible to users when they log on to or use IDaaS.

      2. CorpId: Obtain this from the DingTalk Open Platform homepage.

    2. Enter application information.

      1. On the DingTalk Open Platform - Internal Enterprise Development page, click Create Application.

      2. From the Credentials and Basic Information section, retrieve the AppKey and AppSecret.

    3. Developer Information

      Enter the following information in DingTalk:

      1. Callback Domain Name: Enter this in the Development Configuration > Sharing Settings section of the application details. This domain is required to log on to IDaaS by scanning a DingTalk QR code. If you do not provide a domain, this logon method is disabled.

      2. Application Homepage URL: Enter this in the Security Setting > In-App SSO Address section of the application details. After this URL is configured, users can click the application in the DingTalk console and use single sign-on to access the IDaaS application portal. You can manage the application's visibility in Version Management and Publishing.

      3. Egress IP: To allow only IDaaS to send requests to this DingTalk application, enter the Outbound IP Address in the Security Setting on the DingTalk application page.

    Step 2: Assign permissions

    1. Assign permissions in the current DingTalk application. Click Permission Management. In Personal Permissions, Address Book Management, and Application Management, select all permissions and click Batch Request. For the permission scope, select All Employees.

    2. After granting the permissions, click Next in IDaaS. IDaaS verifies whether the application has permission to manage the DingTalk address book. If the verification passes, the configuration is complete.

    Step 3: Select a scenario

    Feature descriptions

    • Synchronization Direction: Account and organization data from the selected IDaaS source is imported into DingTalk under the specified node. For the target node, enter the DingTalk department ID. You can find this ID by editing a department in the DingTalk Admin Backend. The default ID for the root department in DingTalk is 1.

    • Incremental Synchronization: When enabled, any changes to IDaaS account or organization data are synchronized to the DingTalk address book in real time. For accounts exported to DingTalk, IDaaS matches them with DingTalk users based on the Mapping Identity in Field Mapping. You can customize the matching rules in the field mapping settings. If a match is found, the existing user is updated. Otherwise, a new account is created.

    • DingTalk QR Code Logon: If you select this option, a DingTalk QR Code Logon method is added and enabled in the Logon menu. Users can then log on by scanning the QR code.

    Warning

    Test the configuration with a small amount of data or in a non-production environment. After you verify the configuration, expand the node scope. This prevents incorrect configurations from affecting your data in DingTalk.

    Step 4: Field mapping

    If you have historical data in DingTalk, you must configure field mapping to link IDaaS accounts and organizations with DingTalk users and departments. You can also configure field mapping to use data from IDaaS accounts for DingTalk users. For example, you can use the IDaaS display name as the user's name in DingTalk.

    Important

    When logging on to DingTalk Enterprise with an IDaaS account, ensure that the DingTalk user's userid matches the IDaaS account's userid.

    1. IDaaS supports custom values for DingTalk fields by default, including name, mobile number, mailbox, position, and employee ID. To use other fields, such as office location, click Add Field.

      • Field Name: This name is for display purposes only within IDaaS.

      • Field Identity: This must be the DingTalk field name and must be unique for the current identity provider. For example, in the figure above, the field identity for office location is work_place. For more information about DingTalk fields, see All fields for a DingTalk user and All fields for a DingTalk department.

      For more information about field mapping, see Field Mapping.

    2. If the field mapping configuration is correct, select Save and Sync. This action performs a full synchronization of the IDaaS data that you selected in the Select a scenario step to DingTalk. If you are unsure about the configuration, select Save Only. You can modify the mapping later in the Modify > Configure Field Mapping settings for this identity provider.

    Important

    Perform at least one full synchronization before you enable incremental synchronization. Otherwise, incremental synchronization might fail.