Configure single sign-on (SSO) between IDaaS and Dedicated DingTalk to connect your organization's account system to DingTalk.
For an end-to-end walkthrough including user logon steps, see Log on to DingTalk Enterprise using an AD, LDAP, or IDaaS account.
Prerequisites
Before you begin, make sure you have the dedicated account feature of Dedicated DingTalk enabled.
Step 1: Create the application in IDaaS
In the IDaaS console, go to Application > Marketplace and search for DingTalk Enterprise.
Add the application. After the application is added, you are automatically redirected to the SSO configuration page.
Step 2: Configure SSO in IDaaS
IDaaS preconfigures all SSO settings for DingTalk Enterprise. Adjust the following settings based on your environment.
Set the authorization mode and scope
Set the authorization mode to Implicit Mode and select
id_tokenas the token type. The Redirect URIs field is pre-filled with the following value:https://login.dingtalk.com/oauth2/oidcCallBack.htmFor the authorization scope, select All Users to grant access to all employees. If only a subset of employees needs Dedicated DingTalk, select Manual Authorization and authorize specific accounts or organizations.
Configure the sub claim
In the advanced configuration, the extended id_token must include a claim named sub. Dedicated DingTalk uses the sub value to match the user's userid and complete the logon.
If the sub value is invalid, users cannot log on to Dedicated DingTalk using SSO.
Choose your configuration based on how your users are managed:
If your users are synced from IDaaS to Dedicated DingTalk
| Method | sub value format | Notes |
|---|---|---|
| Fixed field mapping | user.{IDaaS field name}, e.g., user.userid or user.username | The value must match the DingTalk userid field in the DingTalk Enterprise identity provider field mapping. |
| Binding relationship | user.identityProviderUserMap.{idpId}.identityProviderUserId | The IDaaS account is already bound to the DingTalk user by default. No further action is required. Find idpId on the identity provider page. |
If your users already exist in Dedicated DingTalk
| Method | sub value format | Notes |
|---|---|---|
| Fixed field mapping | user.{IDaaS field name}, e.g., user.userid or user.username | The userid and sub values of the DingTalk Enterprise user must match. See Advanced account field expressions. |
| Binding relationship | user.identityProviderUserMap.{idpId}.identityProviderUserId | Use the mapping identifier in the field mapping to bind existing accounts. After binding, accounts are ready to use. See Field mapping. Find idpId on the identity provider page.  |
Step 3: Configure SSO in the DingTalk admin console
Log on to the DingTalk admin console.
Go to Security and Permissions > Organization Code Logon, then copy or request an organization code. Set the logon mode to SSO Logon.
Users need this organization code to log on to Dedicated DingTalk.
Go to Security and Permissions > SSO Settings and enter the following parameters. Retrieve each value from the IDaaS application you created in Step 1.
DingTalk field Where to find it in IDaaS Configuration mode Select OIDC Protocol Authentication Client ID General configuration > client_idIssuer Logon Access > Single Sign-On > Application Configuration Information > Issuer Authorization URL Logon Access > Single Sign-On > Application Configuration Information > Authorization Endpoint OpenID Config URL Logon Access > Single Sign-On > Application Configuration Information > Discovery Endpoint
Step 4: Test SSO
Dedicated DingTalk supports only service provider (SP)-initiated SSO. Users must start the logon from the DingTalk side. Identity provider (IdP)-initiated logon is not supported.
For detailed user logon steps, see User logon steps.