All Products
Search

This Product

    Identity as a Service:Bind IDaaS to WeCom

    Document Center

    Identity as a Service:Bind IDaaS to WeCom

    Last Updated:Mar 31, 2026

    Connect IDaaS EIAM to WeCom to synchronize your organization's contacts and enable single sign-on (SSO) for employees using WeCom.

    Overview

    Connecting IDaaS to WeCom involves four steps:

    1. Create applications — Set up apps in both the WeCom management console and the Alibaba Cloud IDaaS console. Configure a trusted domain name and trusted IP address to meet WeCom's security requirements.

    2. Grant permissions — Set the visibility scope of the WeCom application to define which contacts (departments and members) IDaaS can access. This scope becomes the data source node for synchronization.

    3. Select scenarios — Choose the features to enable: contact synchronization, QR code logon, or web authorization logon. Configure synchronization rules and logon methods.

    4. Configure field mappings — Map WeCom member or department fields to IDaaS account or organization fields to maintain data consistency.

    Prerequisites

    Before you begin, ensure that you have:

    • A trusted domain name dedicated to this integration. The domain owner must match the verified entity of the WeCom account. We recommend that you use a custom domain name configured in your IDaaS EIAM instance.

    • A dedicated endpoint configured for your IDaaS EIAM instance. The dedicated public outbound IP address of this endpoint is registered as the trusted IP address in WeCom. At least one dedicated endpoint is required. For setup instructions, see Configure a dedicated public egress IP address.

    Important

    A trusted IP address can be registered to only one enterprise in WeCom. If the same IP address is used by multiple enterprises, WeCom treats it as a service provider IP, and API calls for contact verification and identity authentication stop working.

    Use cases

    After connecting IDaaS to WeCom, the following capabilities are available:

    CategoryCapability
    AccountSynchronize non-sensitive WeCom contact data to IDaaS EIAM
    AccountSynchronize sensitive data (mobile phone numbers, email addresses) of WeCom contacts to IDaaS EIAM
    LogonScan a QR code with WeCom to log on to IDaaS EIAM or an IDaaS EIAM application
    LogonInitiate SSO from the WeCom web page to log on to IDaaS EIAM or an IDaaS EIAM application

    Step 1: Create an application

    1.1 Create an app in WeCom

    1. Log on to the WeCom management console

    2. Go to App Management > Apps and click Create an app.

    3. Configure app information

      Upload an App Logo, enter an App Name and About this App (Optional), and select Allowed users

    4. View the created app

      Return to the app management page. The new application appears in the Self-built section.

    1.2 Create an application in IDaaS

    Start the connection

    1. Log on to the Alibaba Cloud IDaaS console and select an IDaaS EIAM instance.

    2. In the Alibaba Cloud IDaaS consoleIdPs menu, click Add Inbound > WeCom.

    Important

    If no dedicated endpoint is configured for this instance, add one before continuing. See Add a dedicated endpoint.

    Enter basic information

    IDaaS fieldDescriptionWhere to find it
    Display NameThe name users see on the IDaaS EIAM logon pageChoose any recognizable name
    Enterprise IDYour WeCom enterprise identifierWeCom management console > My Company > Company Information > Company ID

    Enter application information

    Provide the AgentId and Secret

    IDaaS fieldWeCom parameterWhere to find it
    AgentIdAgentIdWeCom management console > App Management > Apps > select your app
    SecretSecretIn the app details, click View

    Configure development information

    Choose a domain name type

    The domain name type determines which WeCom features are available:

    Domain name typeAvailable featuresConfiguration notes
    Self-provided domain nameNon-sensitive data synchronization; WeCom QR code logonSpecify a dedicated domain name as the trusted domain name. The domain must belong to the verified entity of the WeCom account and must not conflict with IDaaS EIAM workloads. Other development information values are populated automatically.
    Custom domain name (recommended)Sensitive and non-sensitive data synchronization; WeCom QR code logon; SSO from the WeCom web pageSelect an available custom domain name. The domain must belong to the verified entity of the WeCom account and must remain stable and available. All development information values are generated from this domain name.
    Note

    To use a custom domain name, configure it first in your IDaaS EIAM instance under Branding > Custom Domain Name > Add Custom Domain Name.

    Configure the trusted domain name

    1. In the WeCom management console, open your app's details page and click Set Trusted Domain Name.

    2. Enter the trusted domain name for OAuth 2.0 web authorization.

      Note

      The domain must belong to the verified entity of WeCom and must not include the protocol prefix or path (for example, enter example.com, not https://example.com/path).

    3. Complete the domain ownership verification as prompted by WeCom.

    Configure the trusted IP address

    1. In the IDaaS EIAM configuration interface, click the Enterprise Trusted IP dropdown and select a dedicated endpoint.

    2. View the Dedicated Outbound Public IP Address

    3. In the WeCom management console, open your app and configure the copied IP addresses as the Enterprise Trusted IP.

    Important

    All WeCom API calls from IDaaS EIAM use this trusted IP address. If the IP address is invalid, data synchronization and QR code logon stop working. Because WeCom's IP address verification logic is not publicly documented, always enable a fallback logon method such as username/password or SMS authentication.

    Configure the authorization callback domain

    1. In the IDaaS EIAM Bind WeCom - Inbound

    2. In the WeCom management console, open your app and go to WeCom Authorization Logon.

    3. Click Set to authorize the callback domain, then paste the domain you copied.

    Note

    If you selected Custom Domain Name, also specify a homepage URL on the app's details page. This URL is the redirect destination after users initiate SSO from the WeCom web page.

    Click Next to proceed.

    Step 2: Grant permissions

    Follow the on-screen instructions to set the Allowed users parameter for the WeCom application. This setting controls which contact data (departments or members) IDaaS EIAM can access and synchronize. Tags are not supported. The selected scope becomes the data source node for all synchronization tasks.

    Step 3: Select scenarios

    Configure the features to enable:

    Contact synchronization

    • Synchronization Scope: Select an IDaaS node. WeCom contacts are imported into this node.

    • Scheduled Verification: When enabled, IDaaS automatically runs a full data synchronization every morning against the WeCom source node.

      • To match existing IDaaS accounts to WeCom users, configure a field mapping identifier. For example, map the IDaaS Username field to the WeCom userid field. If a match is found and the WeCom user is updated, the corresponding IDaaS account is also updated. If no match is found, a new IDaaS account is created.

      • To synchronize the latest data immediately, trigger a full data synchronization manually.

      • IDaaS enforces synchronization protection: if a single sync would delete more than 30 accounts or more than 10 organizations, the task is automatically canceled. Adjust this threshold based on your organization's size.

    Sign-In with QR Code

    When enabled, the QR Code (WeCom) option appears on the IDaaS EIAM logon page, allowing users to scan a QR code with WeCom to log on.

    Logon on web page

    If you selected Custom Domain Name in step 1.2, this option is automatically enabled. Users can initiate SSO from the WeCom web page to access IDaaS EIAM or an IDaaS EIAM application, and grant access to sensitive data.

    Note

    Sensitive data access requires manual authorization in IDaaS EIAM. When a user initiates SSO from the WeCom web page, an authorization prompt appears. After the user authorizes, the WeCom account's mobile phone number and email address are synced to IDaaS EIAM. If no WeCom email address exists, the user can provide a personal email address.

    Step 4: Configure field mappings

    If existing IDaaS accounts or organizations need to map to WeCom users or departments — or if you want specific IDaaS account fields to correspond to WeCom user fields — configure field mappings in this step.

    Note

    The userid field in WeCom is the primary key IDaaS uses to identify users. It can be modified only once. Modifying it deletes the existing IDaaS account and creates a new one. Avoid modifying this field unless necessary.

    Important

    Effective June 20, 2022, at 20:00, WeCom API calls no longer return the following sensitive fields unless Contact Sync is used: Avatar, Gender, Mobile, Email, Enterprise Email, Individual QR Code, and Address. To access this data, use the WeCom OAuth 2.0 mechanism to guide admins and members to grant the required permissions explicitly.

    Manage the WeCom identity provider

    After connecting IDaaS to WeCom, you are redirected to the IdPs page. Use this page to manage features and settings for all identity providers (IdPs) connected to your IDaaS instance.

    Usage notes

    QR code logon requirements

    For QR code logon to work, these three values must match exactly:

    • The domain name of the IDaaS EIAM logon page

    • The Authorized Callback Domain value configured in the WeCom IdP settings in IDaaS

    • The authorized callback domain name configured in WeCom

    To log on to IDaaS EIAM using a custom domain name, set the custom domain name as the default domain, enable automatic redirect, and configure the authorized callback domain in both IDaaS EIAM and WeCom to the same custom domain name. See Custom domain names.

    Sensitive data synchronization

    Sensitive data access requires manual authorization through WeCom web page SSO. Authorization remains valid for 30 days. If users access the WeCom application within that period, no re-authorization is needed. To modify sensitive data authorization within the 30-day window, open the WeCom application created in step 1.1 and navigate to its details page.

    The administrator must also verify the display settings for sensitive data. In the WeCom Admin Console, go to My Company > Contacts Management > Member Info Display and confirm that mobile phone numbers and email addresses are configured for display. Only sensitive data that has been granted access and is configured for display by the administrator can be synchronized to IDaaS EIAM.

    Keep a fallback logon method enabled

    Important

    Because WeCom's verification mechanisms for trusted domain names and trusted IP addresses are not publicly documented, Alibaba Cloud cannot guarantee that WeCom-based logon is consistently available. Enable at least one additional logon method — such as username/password or SMS code — to maintain access to IDaaS if WeCom authentication becomes unavailable. If you cannot log on to IDaaS by using a WeCom account and do not enable another logon method, you shall assume all liabilities for losses.

    For information on enabling other logon methods, see General settings.