All Products
Search

This Product

    Identity as a Service:Bind IDaaS to DingTalk - outbound

    Document Center

    Identity as a Service:Bind IDaaS to DingTalk - outbound

    Last Updated:Nov 04, 2025

    This topic describes how to bind DingTalk in the outbound direction in Alibaba Cloud IDaaS. The process covers key steps such as creating an application, assigning permissions, selecting scenarios, and mapping fields to help you achieve smooth integration and data synchronization between IDaaS and DingTalk.

    Quick binding to DingTalk

    In the Quick Start or Identity Provider menu, click Bind DingTalk > Outbound to start the quick binding process for DingTalk - Outbound.

    Step 1: Create an application

    1. Enter basic information.

      1. Display name: The name that is displayed to a user when the user logs on to and uses IDaaS.

      2. CorpId: Obtain this from the DingTalk Open Platform - Homepage.

    2. Enter application information.

      1. In the DingTalk Open Platform - Internal Enterprise Development, click Create Application.

      2. Obtain the AppKey and AppSecret from Credentials and Basic Information.

    3. Development information.

      You also need to enter the following information in DingTalk:

      1. Callback domain name: Enter this in Development Settings > Sharing Settings of the application details. This field is used for DingTalk QR code login. If you do not fill in this field, you cannot use DingTalk QR code to log on to IDaaS.

      2. Application homepage URL: Enter this in Security Settings > In-app Login-free Address of the application details. After you configure this field, when users click this application in the DingTalk console (you can set the visibility range of the application in Version Management And Publishing), they can use single sign-on to access the IDaaS application portal.

      3. Outbound IP: If you want only IDaaS to be able to request this DingTalk application, fill in the Server Outbound IP in Security Settings of the DingTalk application page.

    Step 2: Assign permissions

    1. Assign permissions in the current DingTalk application. Click Permission Management, select all permissions in both Address Book Management and Application Management, and then click Batch Request. For the permission scope, select All Employees.

    2. After the authorization is complete, click Next in IDaaS. IDaaS will check whether the application has DingTalk address book management permissions. If the check passes, the configuration is complete.

    Step 3: Select a scenario

    Capability description

    • Synchronization direction: The account/organization data from the selected IDaaS source will be imported under this node in DingTalk. For the target node, you need to enter the DingTalk department ID, which can be found when editing a department in the DingTalk Admin Console. The ID of the DingTalk root department is 1 by default.

    • Incremental synchronization: When enabled, changes to IDaaS account/organization data will be synchronized to the DingTalk address book in real-time. For accounts exported to DingTalk, IDaaS will match them with DingTalk users based on the Mapping Identity in Field Mapping (you can customize rules in field mapping). If the match is successful, the account will be updated. Otherwise, a new account will be created.

    • DingTalk QR code login: When selected, a DingTalk QR Code Login option will be created in the Login menu and will be enabled by default. Users can log on directly by scanning the QR code.

    Warning

    We recommend that you test the synchronization by using the data of a small number of accounts or in a non-production environment. This prevents the data of DingTalk from being affected by improper configuration.

    Step 4: Field mapping

    If you already have existing data in DingTalk and need to bind IDaaS accounts/organizations with DingTalk users/departments, or if you want to use certain data from IDaaS accounts as data for DingTalk users, such as using the display name of an IDaaS account as the name of a DingTalk user, you need to configure field mapping in this step.

    Important

    When using an IDaaS account to log on to DingTalk Enterprise, ensure that the userid of the DingTalk user is the same as the userid of the IDaaS account.

    1. IDaaS supports customization of DingTalk fields such as name, phone number, email, position, and employee ID by default. If you need to use other fields (such as office location), you can Add Field.

      • Field name: Used only for display in IDaaS.

      • Field identifier: Must use the DingTalk field name and be unique within the current identity provider. In the example above, the field identifier for office location is work_place. For more DingTalk fields, see All DingTalk user fields and All DingTalk department fields.

      For more information about field mapping, see Field mapping.

    2. If you confirm that the field mapping configuration is accurate, you can select Save and Push. This will perform a full synchronization, synchronizing the IDaaS data selected in Select Scenario to DingTalk. If you are not sure whether the field mapping configuration is accurate, you can select Save Only and modify it later in Modify Settings > Field Mapping of the identity provider.

    Important

    Before you use the incremental synchronization feature, make sure that full data synchronization is performed at least once. Otherwise, incremental synchronization may fail.