You can use Alibaba Cloud Identity as a Service (IDaaS) to synchronize DingTalk data to Secure Access Service Edge (SASE). This way, you can manage the access permissions of DingTalk users in the SASE console. This topic describes how to use IDaaS to synchronize DingTalk data to SASE.
Prerequisites
SASE is activated, and the SASE client is installed. For more information, see Apply for a free trial and Use the settings feature.
IDaaS is activated. For more information, see Create an instance for free.
Process
Before you use SASE to manage the access permissions of DingTalk users, you must synchronize DingTalk data to IDaaS and connect your IDaaS identity provider (IdP) to SASE.
The DingTalk-related operations in this topic are performed in the DingTalk console of the new version.
Step 1: Create a DingTalk application
To synchronize DingTalk data to SASE, you must create a DingTalk application in DingTalk Open Platform. After you create a DingTalk application, you can obtain the values of the AppKey and AppSecret parameters that are used for logon-free authentication.
Use the administrator account to log on to DingTalk Open Platform.
In the top navigation bar, click Application Development.
In the left-side navigation pane, click DingTalk Application. On the page that appears, click Create an application.
In the Create an application panel, configure the parameters. The following table describes the parameters.
Parameter
Description
Example
Application Name
The name of the application.
The application name can contain letters and digits.
AlibabaCloudSASE
Application Description
The description of the application.
AlibabaCloudSASE
App Icon
The icon of the application.
The uploaded icon image must meet the following requirements: JPG or PNG format, 240 × 240 pixels or higher, 1:1 aspect ratio, no greater than 2 MB in size, and no rounded corner.
Click save.
Step 2: Add an authentication source
You must add an authentication source to enable external authentication. This way, you can use DingTalk accounts to log on to the SASE client.
Use the administrator account to log on to the IDaaS console. On the tab, click the ID of the instance that you created.
In the left-side navigation pane, choose .
In the upper-right corner of the Authentication Sources page, click Add DingTalk source.
On the page that appears, find DDTalk micro APP and click Add Authentication Source in the Actions column.
In the Add Authentication Source (DDTalk micro APP) panel, configure the parameters and click Submit. The following table describes the parameters.
Parameter
Description
Example
Name
The name of the authentication source. Retain the default value DDTalk micro APP.
DDTalk micro APP
AgentID
You can obtain the value of the AgentID parameter from the Credentials and basic information page of the DingTalk application that you created in DingTalk Open Platform.
320543****
CorpID
You can obtain the value of the CorpID parameter from the front page of DingTalk Open Platform.
ding191d0eb30a8aadf2ee0f45d8e4f7****
AppKey
You can obtain the value of the AppKey parameter from the Credentials and basic information page of the DingTalk application that you created in DingTalk Open Platform.
ding191d0eb30a8aadf2ee0f45d8e4f7****
AppSecret
You can obtain the value of the AppSecret parameter from the Credentials and basic information page of the DingTalk application that you created in DingTalk Open Platform.
7G2uP_iIvyQ8L4phZ1neu1bKpPQZT4B_s3xFD_EChpxJscqGiOopPIYuWXI5****
After you add the authentication source, go back to the Authentication Sources page and turn on the switch in the Status column to enable DDTalk micro APP.
Step 3: Configure and release the DingTalk application
After you add and enable the authentication source, you must perform the following operations to configure and release the DingTalk application.
Use the administrator account to log on to DingTalk Open Platform.
In the top navigation bar, click Application Development.
In the left-side navigation pane, click DingTalk Application.
On the DingTalk Application page, click the AlibabaCloudSASE application that you created.
In the left-side navigation pane, choose .
On the Security Settings page, configure the Server egress IP and In-terminal free address parameters.
NoteYou can contact the IDaaS service team to obtain the egress IP address of the IDaaS server.
You can obtain the homepage URL of the application from the Authentication Source Details panel of the added authentication source in the IDaaS console.
For example, the homepage URL can be https://aliyundoc.com/api/public/bff/v1.2/authenticate/ddMicro/login?agentId={id}&appId={id}, where agentId indicates AgentId of the DingTalk application and appId indicates the ID of the Security Assertion Markup Language (SAML) application created in IDaaS. For more information, see Step 2: Create a SAML application and grant the permissions to access the application.
On the Version management and release page, click the corresponding button to release the application.
Step 4: Synchronize the DingTalk data
After the DingTalk application is released, you must perform the following operations to synchronize the DingTalk data.
Use the administrator account to log on to the IDaaS console. On the tab, click the ID of the instance that you created.
Synchronize the DingTalk data.
In the left-side navigation pane, choose .
On the OUs and Groups page, click Configure DingTalk.
In the DDtalk sync configuration panel, click Create.
Configure the parameters and click Save. The following table describes the parameters.
Parameter
Description
Example
ConfigName
Specify a name for the DingTalk synchronization configuration. The name can contain letters and digits.
SASEtest
corpld
You can obtain the value of the corpld parameter from the front page of DingTalk Open Platform.
ding191d0eb30a8aadf2ee0f45d8e4f7****
appKey
You can obtain the value of the appKey parameter from the Credentials and basic information page of the DingTalk application that you created in DingTalk Open Platform.
ding191d0eb30a8aadf2ee0f45d8e4f7****
appSecret
You can obtain the value of the appSecret parameter from the Credentials and basic information page of the DingTalk application that you created in DingTalk Open Platform.
7G2uP_iIvyQ8L4phZ1neu1bKpPQZT4B_s3xFD_EChpxJscqGiOopPIYuWXI5****
Enable
You must turn on the switch. Otherwise, the DingTalk data cannot be synchronized.
Enabled
EmailField
Specify an identifier field for primary email addresses.
email
Default Password
Specify a default password that is used to log on to the IDaaS console.
ImportantYou must specify a password that meets the requirements in the current password policy. Otherwise, the DingTalk data cannot be synchronized.
****
On the OUs and Groups page, choose .
In the panel that appears, select the DingTalk application that you want to manage and click Import. Then, confirm the import operation.
Grant DingTalk accounts the permissions to access the SAML application.
In the left-side navigation pane, choose .
In the left-side application section of the Application authorization subject tab, click the application. On the right-side Account tab, select the accounts that you want to manage and click Save. In the message that appears, click OK.
Step 5: Connect your IDaaS IdP to SASE
After you synchronize the DingTalk data to IDaaS, you must connect your IDaaS IdP to SASE. This way, you can use SASE to manage the access permissions of DingTalk users. For more information about how to connect an IDaaS IdP to SASE, see Use SASE to ensure secure access of IDaaS (old version) users.
After you connect an IDaaS IdP to SASE, you can log on to the SASE client by scanning the quick response (QR) code from the DingTalk app without the need to enter an account and password.