Connect SASE to DingTalk so your employees can log on to the SASE client with their existing DingTalk accounts. This eliminates a separate identity management system and keeps your organizational structure in sync automatically.
Prerequisites
Before you begin, ensure that you have:
An active Secure Access Service Edge subscription
The SASE client installed on your devices
The DingTalk steps in this topic apply to the new DingTalk console. The DingTalk Open Platform information is for reference only. See the official DingTalk documentation for details.
Step 1: Create a DingTalk application and set the homepage URL
1.1 Create a DingTalk application
The DingTalk Robot webhook was commercialized in phases starting from January 1, 2024, and was fully commercialized on February 1, 2024. The free quota is 5,000 calls per calendar month. For more information, see Webhook Commercialization Announcement.
In the DingTalk marketplace, you can activate the Alibaba Cloud miniapp to receive alert notifications from DingTalk for free. Click Activate Now.
Log on to the DingTalk Open Platform with an administrator account. In the top menu bar, click Application Development.
In the navigation pane, choose Internal-facing Applications > DingTalk Application.
On the DingTalk Application page, click Create Application.
In the Create Internal-facing Application dialog box, set the following parameters.
Parameter Description Example Application name The application name. Can contain Chinese characters, uppercase letters, lowercase letters, and digits. AlibabaCloudSASE Application description A description of the application. AlibabaCloudSASE Application icon The application icon. Must be in JPG or PNG format, 240×240 pixels or larger, aspect ratio 1:1, no larger than 120 KB, and no border radius. — Click Create.
1.2 Set the homepage URL
On the DingTalk Application page, click the AlibabaCloudSASE application.
In the navigation pane, choose Application Capabilities > Web App.
On the Web App page, set Application Homepage URL to
https://login.aliyuncsas.com/ui/dingAuth/, then click Save.
Step 2: Add API permissions, security settings, and sharing settings
2.1 Add API permissions
Grant the permissions that allow SASE to read your DingTalk organizational structure.
Log on to the DingTalk Open Platform with an administrator account. In the top menu bar, click Application Development.
In the navigation pane, choose Internal-facing Applications > DingTalk Application.
Click the AlibabaCloudSASE application, then in the navigation pane click Permission Management.
On the Permission Management page, set the permission scope to All Employees and enable the following permissions:
Personal Mobile Number Information
Read Permission For Personal Information In The Address Book
Enterprise Employee Mobile Number Information
Email And Other Personal Information
Read Permission For Department Information In The Address Book
Read Permission For Member Information
Read Permission For Department Members In The Address Book
2.2 Configure security settings
After setting a callback domain, employees can log on to the SASE client using their DingTalk credentials or by scanning a QR code.
In the navigation pane, choose Development Configuration > Security Settings.
In the Server Egress IP field, enter the IP addresses of the servers that call the DingTalk server-side API.
Set Redirection URL (Callback Domain) to
https://login.aliyuncsas.com/open-dev/dingtalk, then click Save.In the navigation pane, choose Development Configuration > Sharing Settings.
On the Sharing Settings page, in the Login Integration section, add
https://login.aliyuncsas.com/open-dev/dingtalkas the callback domain name.
2.3 Configure sharing settings
Configure sharing settings to let users share content after logging on.
On the Sharing Settings page, in the Share Integration section, click Edit. Set the following parameters, then click Save.
| Category | Parameter | Value |
|---|---|---|
| iOS Share | iOS Bundle ID | com.aliyun.security.saseiosApp |
| Android Share | Android Package Name | com.aliyun.security.sase |
| Android Signature | 294e7d6880381b01ea56d91ee6656ff0 |
Step 3: Connect SASE to DingTalk
Configure an identity provider (IdP) in the SASE console to establish the connection to your DingTalk organizational structure.
Log on to the SASE console.
In the navigation pane, choose Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select DingTalk, then click Configure.
In the Basic Configurations step, set the following parameters. The panel also provides three values you will use in later steps — copy and save them now:
Copy Request URL: used to configure event subscription in DingTalk (Step 4)
Copy Application Homepage Address: used to view application details in DingTalk
Copy Callback Domain Name: used to configure the callback domain in DingTalk
ImportantIf you disable an identity source, end users cannot access internal applications through the SASE App. Proceed with caution.
Parameter Description Example IdP Name The name of the DingTalk identity source. 2–100 characters; can contain Chinese characters, letters, digits, hyphens (-), and underscores (_). test Description Displayed as the logon title on the SASE client. DingTalk Logon IdP Status Enabled: the identity source is active after creation. Closed: the identity source is disabled after creation. Enabled CorpId The unique enterprise ID in DingTalk. Get it from the home page of the DingTalk Open Platform. ding3608be7c4e5266ce4ac5d6980864**** AppKey The AppKey of the DingTalk application. Get it from the Credentials And Basic Information page of your application in the DingTalk Open Platform. dingwjlht8b93ara**** AppSecret The AppSecret of the DingTalk application. Get it from the Credentials And Basic Information page of your application in the DingTalk Open Platform. 1Uji1mEjhmWq_SmE0KNScspYk0bBgDrlZ95vUTR-bn4FbfeVQQKNr1_1giWA**** DingTalk Type (Advanced Settings) Select DingTalk Standard or Dedicated DingTalk. — AES Encryption Key (Advanced Settings) The encryption key for event subscription. You will get this value from DingTalk in Step 4 and return to fill it in here. SRIcwnup1JHFJ4O2SzLS1RtQGJzC3RG2c33AM****** Encryption Token (Advanced Settings) The signature token for event subscription. You will get this value from DingTalk in Step 4 and return to fill it in here. YYwR3A3rV6mrvpC****** Automatic Synchronization If enabled, the system automatically syncs DingTalk data on the configured cycle. If disabled, you must sync manually. Enabled Synchronize User Information If enabled, employee information is automatically synced based on the Automatic Synchronization Cycle. Requires Automatic Synchronization to be enabled. Enabled Automatic Synchronization Cycle How often the sync runs. Set from 1 hour to 24 hours. 24 hours Click Connectivity Test. After the test passes, click Next.
If the Connection Failed message is displayed, verify that the server address and server port are correct.
In the Synchronization Settings step, configure the synchronization scope and field mappings, then click Confirm.
Parameter Description Organizational Structure Synchronization Synchronize All: syncs the entire DingTalk organizational structure to SASE. Partially Synchronize: select which parts of the organizational structure to sync. Field Synchronization Mapping Map DingTalk fields to SASE fields. To add custom fields, click View Extended Fields in the upper-right corner of the list.
Step 4: Configure DingTalk event subscription
Event subscription keeps your SASE security policies in sync when your organizational structure changes — for example, when employees join, transfer, or leave.
This step involves values from both the SASE console and the DingTalk Open Platform. The configuration flows in two directions: you first copy a URL from SASE into DingTalk, then copy keys from DingTalk back into SASE.
4.1 Copy the request URL from SASE
In the SASE console, find the IdP you created in Step 3 and open the Edit Identity Source panel.
Copy the value of Request Address. You will paste this into DingTalk in the next section.
4.2 Configure event subscription in DingTalk
Log on to the DingTalk Open Platform with an administrator account. In the top menu bar, click Application Development.
In the navigation pane, choose Internal-facing Applications > DingTalk Application, then click the AlibabaCloudSASE application.
In the navigation pane, click Event Subscription. Set Push Method to HTTP Push.
Paste the Request Address you copied from SASE into the Request URL field.
Enable the following address book events: For more information, see Event Subscription.
User Added To Address Book
User In Address Book Changed
User Removed From Address Book
Department Created In Address Book
Department In Address Book Modified
Department In Address Book Deleted
Copy the Encryption Aes_key and Signature Token values from this page. You will paste them into SASE in the next step.
Click Save on the event subscription page.
4.3 Paste the DingTalk keys into SASE
Return to the Edit Identity Source panel in the SASE console.
Paste the Encryption Aes_key into the AES Encryption Key field and the Signature Token into the Encryption Token field.
Click Save in the identity source panel.
Step 5: Verify the connection
Open the SASE client.
Enter your enterprise ID, then click Confirm.
Get your enterprise ID from the SASE console: go to Settings and copy the Enterprise Authentication Identifier.
Log on with your DingTalk username and password, or scan the QR code.
Connection successful
If the logon succeeds, the SASE client opens and you can access your enterprise resources. The DingTalk integration is fully configured.
Connection failed
If the logon fails, check the following:
Confirm the AES Encryption Key and Encryption Token in SASE match the values on the DingTalk Event Subscription page.
Confirm the Request URL in DingTalk matches the Request Address in the SASE identity source panel.
Confirm the IdP status is Enabled in the SASE console.
Confirm the callback domain
https://login.aliyuncsas.com/open-dev/dingtalkis added under Login Integration in the DingTalk Sharing Settings page.