All Products
Search

This Product

    Identity as a Service:Connect IDaaS to WeCom

    Document Center

    Identity as a Service:Connect IDaaS to WeCom

    Last Updated:Dec 05, 2025

    This topic describes how to connect IDaaS to WeCom and the common operations that you can perform.

    Overview

    You can connect IDaaS to WeCom in four steps:

    1. Create an application: Create applications in the WeCom management console and the Alibaba Cloud IDaaS console, configure basic information, and set a trusted domain name and trusted IP address to meet the security requirements of WeCom.

    2. Assign permissions: Adjust the visibility scope of the WeCom application to determine the contact data (only departments and members) that IDaaS can access. The data is used as the source node for data synchronization.

    3. Select scenarios: Select features (such as contact synchronization, QR code logon, and web authorization logon) based on your requirements, and configure synchronization rules (such as scheduled full synchronization and field mapping logic) and logon methods.

    4. Configure field mappings: Map the fields of WeCom members or departments to the fields of IDaaS accounts or organizations to ensure data association and consistency.

    Before you begin

    For security reasons, when you call the API operations of WeCom for contact verification and identity authentication, the system verifies the domain name and IP address that you use. If the verification is successful, the domain name and IP address are trusted. A trusted IP address can be used only by one enterprise in WeCom. If a trusted IP address is used by multiple enterprises, the IP address is considered as that of a service provider. As a result, the API operations for contact verification and identity authentication become unavailable.

    To meet the security requirements of WeCom, you must prepare the following items.

    Verification item

    Preparation

    Trusted domain name

    A dedicated domain name. The owner of the domain name must be the same as the verified entity of the WeCom account. We recommend that you use a custom domain name of an IDaaS EIAM instance. For more information, see Custom domain name.

    Trusted IP address

    The dedicated public outbound IP address of a dedicated endpoint is the trusted IP address in WeCom. At least one dedicated endpoint must be configured for an IDaaS EIAM instance. This way, the instance can access WeCom by using the dedicated public outbound IP address. For more information, see Configure a dedicated public outbound IP address in Endpoints.

    Scenarios

    After you connect IDaaS to WeCom, you can perform the following operations.

    Category

    Capability

    Account

    • Synchronize the non-sensitive data of WeCom contacts to IDaaS EIAM.

    • Synchronize the sensitive data, such as mobile phone numbers and email addresses, of WeCom contacts to IDaaS EIAM.

    Logon

    • Scan a QR code by using WeCom to log on to IDaaS EIAM or an IDaaS EIAM application.

    • Initiate single sign-on (SSO) on the WeCom web page to log on to IDaaS EIAM or an IDaaS EIAM application.

    Procedure

    Step 1: Create an application

    1. Create an application in WeCom.

      1. Create an app in WeCom

        Log on to the WeCom management console, and create a App Management > Apps > Create an app. .

      2. Configure app information

        Upload an App Logo, enter an App Name and About this App (Optional), and select Allowed users based on your requirements. The Allowed users parameter refers to the contact data that can be accessed when you use IDaaS EIAM for data synchronization and logon. Return to the app management page.

      3. View the created app

        Return to the app management page. You can view the created application in the Self-built section.

    2. Create an application in IDaaS.

      1. Start connecting IDaaS to WeCom in the Alibaba Cloud IDaaS console

        Log on to the Alibaba Cloud IDaaS console and select an IDaaS instance. In the IdPs menu, click Add Inbound > WeCom to start the connection process.

        Important

        If no dedicated endpoint is configured for the instance, you must configure a dedicated endpoint. For more information, see Add a dedicated endpoint.

      2. Enter basic information

        Enter a Display Name and Enterprise ID as required.

        • Display Name: The name that users can see when they log on to and use IDaaS EIAM.

        • Enterprise ID: Log on to the WeCom management console and obtain the My Company > Company Information > Company ID .

      3. Enter application information

        Enter the AgentId and Secret of the application.

        1. In the WeCom management console, obtain the information from the self-built application in App Management > Apps.

        2. In the application details, click View in the Secret section.

        3. After you confirm the sending in the dialog box, you can view the Secret in WeCom Team Messages as prompted.

      4. Enter development information

        Note

        The following example uses a custom domain name. If you select a custom domain name, you need to go to the IDaaS EIAM instance and select Branding > Custom Domain Name > Add Custom Domain Name to complete the custom domain name configuration.

        1. Trusted Domain Name.

          The Domain Name Type affects the WeCom features that you can use and the development information that is generated. The following table describes the types of domain names.

          Category

          Self-provided domain name

          Custom domain name

          Functionality

          You can synchronize non-sensitive data and use WeCom to scan a QR code for logon.

          You can synchronize sensitive and non-sensitive data, use WeCom to scan a QR code for logon, and initiate SSO on the WeCom web page.

          Configuration

          Specify a dedicated domain name as the trusted domain name. Make sure that the domain name belongs to the verified entity of the WeCom account and is not required by the workloads of IDaaS EIAM. The parameter values in the Development Information section, excluding the Trusted Domain Name parameter, are automatically provided by the system.

          Select an available custom domain name. Make sure that the domain name belongs to the verified entity of the WeCom account. The domain name is used by all WeCom features and must be stable and available. The parameter values in the Development Information section are generated based on the custom domain name that you select.

          1. In the app details page of the WeCom management console, click Set Trusted Domain Name.

          2. Enter a trusted domain name for the OAuth 2.0 web authorization feature.

            Note

            Note that WeCom requires the trusted domain name must belong to the verified entity of WeCom and cannot include the protocol or the path.

          3. After the trusted domain name is verified, you must complete domain name ownership verification as prompted in WeCom.

        2. Enterprise Trusted IP. Click the drop-down list and select a dedicated network endpoint.

          1. You need to use the dedicated public access of the network endpoint (document: Configure a dedicated public outbound IP address) to enable the IDaaS EIAM instance to access WeCom by using your IP address.

          2. In the configuration interface of IDaaS EIAM, select a network endpoint and view the Dedicated Outbound Public IP Address.

          3. In the dialog box that appears, view the public IP address that the IDaaS EIAM instance can use. Click Copy All IP Addresses.

          4. In the app of the WeCom management console, configure the copied IP address as the Enterprise Trusted IP.

          Important

          All WeCom APIs can be called by IDaaS EIAM by using the trusted IP address. If the trusted IP address is invalid, you cannot use features such as data synchronization from WeCom and WeCom-based QR code logon. The logic of verifying the trusted IP address in WeCom is not disclosed. To ensure that you can log on to IDaaS, you must also enable another logon method such as password and username authentication or SMS authentication.

        3. Authorization callback domain.

          1. In the Bind WeCom - Inbound page, copy the authorization callback domain.

          2. In the app of the WeCom management console, configures the WeCom Authorization Logon.

          3. In the Web page, click Set to authorize the callback domain. In the dialog box that appears, paste the domain that you copied.

            Note

            If you set the Domain Name Type parameter to Custom Domain Name, you must also specify a homepage URL for the application on the details page of the application. The homepage URL specifies the page to which you are redirected after you initiate SSO from the WeCom web page.

        After you complete the configurations, click Next.

    Step 2: Grant permissions

    In this step, follow the on-screen instructions to modify the Allowed users parameter. The Allowed users parameter specifies the contact data that you can access and you want to synchronize to IDaaS EIAM. You can select departments or members. Tags are not supported. When you synchronize data, the value that you specify is used as the data source node.

    Step 3: Select scenarios

    In this step, configure the features that you want to use.

    Feature description

    • Synchronization Scope: After you select an IDaaS node, WeCom contacts are imported to the node.

    • Scheduled Verification: If you turn on Scheduled Verification, IDaaS automatically synchronizes the full data on the source node of WeCom every morning.

      • You can configure mapping identifiers in the Field Mapping step of an IDaaS account to a field of a WeCom user. For example, you can match the Username field of an IDaaS account to the userid field of a WeCom user. If the matching is successful and the WeCom user is updated, the IDaaS account is also updated from the WeCom user. If the matching fails, an IDaaS account is created by using the information about the WeCom user.

      • To synchronize the latest data, you must manually trigger full data synchronization.

      • IDaaS provides synchronization protection. When more than 30 accounts or more than 10 organizations need to be deleted, the synchronization task is automatically canceled to prevent data from being accidentally deleted. We recommend that you adjust the synchronization protection settings based on the size of your enterprise.

    • Sign-In with QR Code: If you turn on Sign-In with QR Code, the QR Code (WeCom) option is provided and enabled on the logon page of IDaaS. This way, users can scan a QR code by using WeCom to log on to IDaaS.

    • Logon on Web Page: If you set the Domain Name Type parameter to Custom Domain Name, this switch is automatically turned on. You can initiate SSO from the WeCom web page to IDaaS EIAM or an IDaaS application and grant permissions to synchronize sensitive data.

    Note

    Before you can access sensitive data, you must manually authorize the request in IDaaS EIAM. When you initiate SSO from the WeCom web page, a page appears that prompts you to complete the authorization. After the authorization is complete, the mobile phone number and email address of the WeCom account are used in the IDaaS EIAM account. If no email address of the WeCom account exists, you can specify a personal email address.

    Step 4: Configure field mappings

    If you already have accounts or organizations in IDaaS and you want to map them to the WeCom users or departments, or if you want to use specific fields of an IDaaS account as the fields of a WeCom user, you must configure field mappings. For example, if you want to use the display name of an IDaaS account as the name of a WeCom user, you must configure a field mapping.

    Note

    If the userid field in WeCom is automatically generated, the field can be modified once. The userid field is the primary key used by IDaaS to identify users. If you modify the field, the corresponding IDaaS account is deleted, and another IDaaS account is created. Do not modify the field unless necessary.

    Important

    To safeguard enterprise and member data privacy, WeCom is updating its API policy. Effective June 20, 2022, at 20:00, API calls will no longer return the following sensitive fields (with the exception of Contact Sync): AvatarGenderMobileEmailEnterprise EmailIndividual QR Code, and Address. If your application requires access to this information, you must utilize the WeCom OAuth 2.0 mechanism to guide Admins and Members to explicitly grant the necessary permissions.

    Manage the WeCom identity provider

    After you connect IDaaS to WeCom, you are redirected to the IdPs page. You can manage different features that are used to interact with identity providers (IdPs) on the IdPs page.

    Usage notes

    Notes on QR code logon

    When you use QR code-based logon by using WeCom, you are redirected to the address specified by the Authorized Callback Domain parameter. Specifically, if you want to use WeCom to scan a QR code to log on to IDaaS EIAM or an IDaaS EIAM application, you must ensure consistency between the domain name of the IDaaS EIAM logon page, the value of the Authorized Callback Domain parameter for the WeCom IdP in IDaaS, and the authorized callback domain name in WeCom.

    Therefore, if you want to log on to IDaaS EIAM by using a custom domain name, we recommend that you set the custom domain name as the default domain name, enable the automatic redirect feature, and set the authorized callback domain name in IDaaS EIAM and WeCom to the custom domain name. For more information, see Custom domain name.

    Notes on sensitive data synchronization

    Before you can access sensitive data, you must manually authorize the request in IDaaS EIAM. When you initiate SSO from the WeCom web page, a page appears that prompts you to complete the authorization. After the authorization is complete, the mobile phone number and email address of the WeCom account are used in the IDaaS EIAM account. If no email address of the WeCom account exists, you can specify a personal email address.

    If you access the WeCom application within 30 days, no authorization operations are required. If you want to modify the authorization of sensitive data within 30 days, access the WeCom application that you created in Step 1 and open the details page of the application.

    In addition to manual authorization, the administrator must perform the following steps: Go to the WeCom Admin Console and click My Company in the upper-right corner. In the left-side navigation pane, click Contacts Management. In the Member Info Display section of the page that appears, check whether the display of sensitive data such as the mobile phone number and email address is configured. Only sensitive data on which you have access permissions and is configured to be displayed by the administrator can be synchronized to IDaaS EIAM.

    Reserve other logon methods

    Important

    Alibaba Cloud IDaaS makes every effort to ensure the availability of data synchronization and identity authentication for your WeCom contacts. However, due to the lack of publicly disclosed details regarding the verification methods such as trusted domain names and trusted IP address in WeCom, and the risk management policies, Alibaba Cloud cannot guarantee that you can consistently and reliably log on to IDaaS by using your WeCom account.

    To mitigate the risk of being unable to access IDaaS when WeCom is unavailable, you must also enable other logon methods such as the username and password and SMS code logon methods. If you cannot logon to IDaaS by using a WeCom account and do not enable another logon method, you shall assume all liabilities for losses.

    For more information about other logon methods, see General settings.