All Products
Search

This Product

    Identity as a Service:Connect to Feishu

    Document Center

    Identity as a Service:Connect to Feishu

    Last Updated:Sep 11, 2025

    This topic describes how to connect to Feishu and its common uses.

    Process overview

    You can connect Feishu to IDaaS in four steps:

    1. Application permission configuration: In the Feishu Open Platform, configure the required permissions for your application to ensure it can access the necessary data and features.

    2. Development configuration: In the IDaaS console, configure development-related settings, such as webhook addresses and application credentials.

    3. Scenario selection: Select the integration scenarios and authentication methods that meet your business needs.

    4. Field mapping: Configure the mapping between Feishu user properties and IDaaS user properties to ensure that data is synchronized correctly.

    Scenarios

    After you connect to Feishu, you can use the following features.

    Category

    Capabilities

    Account

    • Synchronize the full data of the Feishu address book to IDaaS EIAM. Scheduled verification is supported.

    Logon

    • Scan a QR code using Feishu to log on to IDaaS EIAM or an application in it.

    • Initiate single sign-on (SSO) from the Feishu workbench to log on to IDaaS EIAM or an application in it.

    Connect to Feishu

    In the Identity Providers menu, click Other Identity Providers > Feishu to start the connection process.

    image

    Step 1: Configure application permissions

    Important

    Feishu has specific requirements for application permissions. Some permissions take effect only after an administrator approves and publishes the application, so you may need assistance from other administrators in your enterprise. Without the required permissions, you cannot use features such as data synchronization. We recommend that you configure all application permissions in this step before you continue.

    1. Create a Feishu application.

      1. Go to the Feishu Open Platform, log on to the developer backend, and create an enterprise self-built application.

        image

      2. After the application is created, you are automatically redirected to the application details page. Click the Credentials & Basic Information menu to obtain the App ID and App Secret.

        image

    2. Enter the App ID and App Secret in IDaaS.image

    3. On the Feishu application details page, click Permission Management > Enable Permissions. In Address Book, grant the following permissions. These are query permissions for the address book that enable data synchronization and user logon.image

      Permission name

      Permission value

      Notes

      Read basic information of the address book

      contact:contact.base:readonly

      --

      Read user IDs

      contact:user.employee_id:readonly

      --

      Read basic information of departments

      contact:department.base:readonly

      --

      Read the organizational structure of departments in the address book

      contact:department.organize:readonly

      After you request the permission, you must submit a version release request. The permission takes effect only after the request is approved.

      Read basic information of users

      contact:user.base:readonly

      --

      Read the organizational structure of users

      contact:user.department:readonly

      After you request the permission, you must submit a version release request. The permission takes effect only after the request is approved.

      Read user email addresses

      contact:user.email:readonly

      This permission is not required. Enable it only if you want to synchronize this field's data to IDaaS.

      Read user mobile numbers

      contact:user.phone:readonly

      After you request the permission, you must submit a version release request. The permission takes effect only after the request is approved.

      This permission is not required. Enable it only if you want to synchronize this field's data to IDaaS.

      Note

      After you submit a release request, a notification is sent to administrators in Feishu. An administrator must review the request in the Feishu Admin console.

    4. Enable Feishu database permissions.

      1. In the Permission Management section, click Configure under Accessible Data Range to set database permissions.

        image

      2. Select the required permissions. This scope determines which user and organization data can be synchronized to IDaaS and used for logon through Feishu.image

    5. Submit in IDaaS. After you complete the permission configuration, click Next in IDaaS. IDaaS checks the API and database permissions. If all required permissions are granted, you can proceed to the next step.

    Step 2: Configure development settings

    1. Enter basic information.

      1. Enter a Display Name.

      2. Enter the Enterprise ID. You can obtain the enterprise ID from the Feishu Admin console.

        image

    2. Configure development information.

      1. Redirect URL.

        1. Copy the URL from IDaaS. This URL is used to process user logon requests.image

        2. Configure in Feishu. On the Feishu application details page, paste the URL into the Redirect URL field under Security Settings. After you paste the URL, click the Add button.image

      2. Application homepage.

        1. Copy the URL from IDaaS. If you want users to log on to the IDaaS CloudSSO user portal from the Feishu workbench without authentication, you must configure this homepage URL in Feishu.image

        2. Configure in Feishu. On the Feishu application details page, in Add Application Capabilities, add a Web Application.image

          After you add the web application, paste this URL into the desktop and mobile homepage fields.image

      3. IP address whitelist.

        1. View in IDaaSimage

          • Shared endpoint: A shared endpoint is the default network endpoint that an IDaaS instance uses for network access. All IDaaS instances share this endpoint. You can use a shared endpoint to access only the Internet.

          • Dedicated endpoint: A dedicated endpoint is a network endpoint that your IDaaS instance exclusively uses. With a dedicated endpoint, you can use a dedicated IP address to implement data synchronization and delegated authentication with Feishu. For more information, see Network endpoints.

        2. Configure in Feishu. If you want to restrict incoming requests by IP address for security, copy the egress IP address list from IDaaS and add it to the IP Whitelist under Application Security Settings in Feishu. Use Batch Modify to enter the list.image

    Step 3: Select scenarios

    Select the scenario features that you want to use.

    Feature description

    • Synchronization target: Select Alibaba Cloud IDaaS from the drop-down list. The address book data from Feishu is imported into this IDaaS node.

    • Scheduled synchronization: By default, IDaaS automatically performs a full synchronization of Feishu data at 00:00 every day to ensure data consistency. You can use field mapping to specify matching rules between IDaaS accounts and Feishu users, such as matching account names to user IDs. If a match is found, the existing account is updated. Otherwise, a new account is created. To synchronize data in real time, you can manually trigger a full synchronization task. A built-in protection mechanism automatically stops the synchronization if it detects that more than 30 accounts or 10 organizations are deleted. This prevents accidental deletion. You can adjust this threshold based on the size of your enterprise.

    • Synchronization schedule: The synchronization is scheduled to run once per day. You can use a cron expression to customize the time. IDaaS has a built-in protection mechanism that stops the synchronization task if it detects many deletions, such as more than 30 accounts or 10 organizations, to prevent accidental data loss.

    • Incremental synchronization: This feature is disabled by default. To enable it, you must first configure event notifications after the connection is established.

      • On the Identity providers page, find the Feishu application that you created and click Modify.

      • In the event configuration section, enter the Encrypt Key and Verification Token. You can obtain these from Events & Callbacks > Encryption Policy on the Feishu application details page.imageimage

      • On the Feishu application details page, go to Events & Callbacks > Event Configuration and paste the Request Address from IDaaS into the request URL field. This URL is used to send events to the developer server.image

    • QR code logon: When this feature is enabled, the IDaaS logon page displays a Feishu QR code logon option. Users can scan the QR code to complete authentication. If an application homepage is configured, users can also log on to IDaaS from the Feishu workbench without authentication for improved convenience.

    Step 4: Map fields

    If you have historical data in IDaaS and need to link Feishu members or departments to existing IDaaS accounts or organizations, you must configure field mapping in this step. You also need to configure field mapping if you want to populate IDaaS account fields with data from specific Feishu member fields. For example, you can use the name of a Feishu user as the display name of an IDaaS account.

    Important

    The user ID (userid) in Feishu is the unique identifier for Feishu users and can be modified. Because this field is the only primary key that IDaaS can rely on, modifying this field deletes the corresponding IDaaS account and creates a new one. Modify this field with caution.

    Manage Feishu identity providers

    After the connection is complete, you are automatically redirected to the Identity Providers menu. Here, you can manage the identity provider and its features.