All Products
Search

This Product

    Secure Access Service Edge:Use SASE to ensure secure access for WeCom users

    Document Center

    Secure Access Service Edge:Use SASE to ensure secure access for WeCom users

    Last Updated:Mar 31, 2026

    Connect Secure Access Service Edge (SASE) to WeCom so that enterprise users can log on to SASE directly with their WeCom accounts. This eliminates the need to maintain a separate identity management system and lets you control internal network access, internet access, and office data protection from a single place.

    What this integration supports

    • Single sign-on: Users log on to the SASE client using their existing WeCom accounts.

    • Automatic user sync: SASE pulls organizational structure and employee information from WeCom on a configurable schedule (1–24 hours).

    • Partial sync: Choose to sync the entire WeCom organization or select specific departments.

    • Field mapping: Map WeCom user attributes to SASE fields, with support for custom extension fields.

    The WeCom platform information in this document is for reference only. For authoritative details, see the official WeCom documentation.

    Prerequisites

    Before you begin, make sure you have:

    • An active SASE subscription. See Apply for a free trial.

    • The SASE client installed on end-user devices. See Use the settings feature.

    • A WeCom administrator account (required to scan the authorization QR code in Step 1).

    • The Schema value for your WeCom identity source, obtained from an SASE engineer by submitting a ticket.

    Step 1: Connect SASE to WeCom

    Create a WeCom identity provider

    1. Log on to the SASE console.

    2. In the left navigation pane, choose Identity Authentication > Identity Access.

    3. On the Identity synchronization tab, click Create IdP.

    4. In the Create IdP panel, select WeCom, click Configure, and set the following parameters.

      ParameterDescriptionExample
      IdP NameName of the WeCom identity source. Must be 2–100 characters and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).test_123
      DescriptionDisplayed as the logon title on the SASE client. Helps users identify the identity source at logon.WeCom data source
      IdP StatusEnabled: The identity source is active after creation. Closed: The identity source is inactive after creation. Disabling an identity source prevents end users from using the SASE App to access internal applications. Proceed with caution.Enabled
      Automatic SynchronizationWhen enabled, SASE syncs organizational structure from WeCom automatically. When disabled, you must sync manually. See Connect an LDAP IdP to SASE for manual sync steps.Enabled
      Synchronize User InformationWhen enabled, SASE automatically syncs employee information on the configured cycle. Has no effect if Automatic Synchronization is disabled.Enabled
      Automatic Synchronization CycleHow often SASE syncs from WeCom. Valid range: 1–24 hours.24 hours

    5. Click Obtain Authorization QR Code and use a WeCom administrator account to scan the QR code to grant permissions.

    6. After authorization succeeds, the new WeCom identity source appears on the Identity synchronization tab.

    Configure synchronization settings

    1. In the Actions column for the new identity source, click Edit. In the Edit IdP panel, set the Schema value, then click Next.

      Important

      Get the Schema value from an SASE engineer by submitting a ticket. The value follows the format wwauth4151efa784c9324d00****.

    2. In the Synchronization Settings wizard, configure the sync scope and field mappings, then click OK.

      ParameterDescription
      Organizational Structure SynchronizationSynchronize All: Syncs the entire WeCom organizational structure to SASE. Partially Synchronize: Select specific departments to sync.
      Field Synchronization MappingMaps WeCom organizational fields to SASE fields. To add, edit, or delete custom fields, click View Extended Fields in the upper-right corner of the list.

    Set the visibility range in WeCom

    After you create the WeCom identity source, SASE automatically creates a self-managed SASE application in WeCom. Set the Visibility Range for this application in WeCom to make sure the organizational structure syncs to it. For instructions, see How to set the visibility range of a third-party application.

    Step 2: Verify the connection

    After the configuration is complete, verify that users can log on to SASE using their WeCom accounts.

    1. Open the SASE App on an end-user device.

    2. Enter the enterprise ID, then click Confirm. To find the enterprise ID: log on to the SASE console, go to Settings, and copy the Enterprise Authentication Identifier.

    3. Enter the WeCom account and password, then click Log On.

    If logon succeeds, the connection is working. If logon fails, check the following:

    • Confirm the IdP Status is set to Enabled in the SASE console.

    • Confirm the WeCom application Visibility Range includes the user's department.

    • Confirm the Schema value in the identity source configuration is correct. If needed, submit a ticket to verify the value with an SASE engineer.