Connect your Lightweight Directory Access Protocol (LDAP) identity provider (IdP) to Secure Access Service Edge (SASE) to let employees log on to the SASE client using their existing LDAP accounts. This eliminates the need to maintain a separate identity system for SASE and lets you manage private access and Internet access permissions from the SASE console.
Prerequisites
Before you begin, make sure that you have:
An activated SASE subscription with the SASE client installed. See Apply for a free trial and Use the settings feature.
A running LDAP directory service (Microsoft Active Directory or OpenLDAP) that manages your organizational structure and security groups.
An LDAP administrator account with credentials (DN and password) that can read the directory.
Scenario
Enterprise A uses Microsoft Active Directory (AD) to manage users across two departments and a security group:
| Group | Members | Notes |
|---|---|---|
| Department 1 | user1, user2, user3 | user2 is the administrator |
| Department 2 | user4, user5 | |
| Security group | user2, user4 |
This topic walks through connecting the LDAP IdP to SASE by syncing the security group's organizational structure. The example uses the following values:
Base DN of the security group:
CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=sasetest,DC=comBase DN of administrator user2:
CN=Person,CN=Schema,CN=Configuration,DC=sasetest,DC=comAdministrator password:
123456******
This topic uses the default LDAP attributes. If you have customized your attributes, substitute the actual attribute names.
Overview
This topic does not cover LDAP setup. The prerequisite is that your enterprise already uses LDAP to manage its organizational structure.
Step 1: Connect your LDAP IdP to SASE
Connect your LDAP IdP to SASE to sync the organizational structure and enable LDAP-based logon for your users.
Log on to the SASE console. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.
On the IdP Management tab, click Add IdP.
In the Add panel, set Authentication Type to Single IdP and Enterprise IdP to LDAP, then configure the settings across three steps.
3a. Basic information
Configure your LDAP server connection and administrator credentials, then click Next.
| Parameter | Description | Example |
|---|---|---|
| IdP configuration status | Enable or disable the IdP. If another IdP or IdP combination is already enabled, disable it on the IdP Management page before enabling this one. | Enabled |
| Type | The directory service type. | Windows AD |
| Configuration name | A unique name for this IdP. 2–100 characters; letters, digits, hyphens (-), and underscores (_) are allowed. | test_001 |
| Description | Displayed on the SASE client as the logon title, so users know which IdP they are logging in to. | LDAP |
| Server address | The IP address or hostname of your AD or OpenLDAP server. | 10.10.XX.XX |
| Server port number | The port number of your AD or OpenLDAP server. Contact your administrator if you are unsure of the actual port number. | 389 |
| SSL connection | Enable to encrypt data in transit between SASE and your LDAP server. | No |
| Base DN | The distinguished name (DN) of the user node to authenticate. SASE authenticates all accounts under this node. 2–100 characters. | CN=Organizational-Unit,CN=Schema |
| Organizational structure synchronization | The DN and password of an administrator account. SASE uses these credentials to read the organizational structure for batch policy management. User data is not stored. | DN: CN=user1,OU=Security Group,DC=sasetest,DC=com; Password: 123456**** |
If the users and groups to authenticate belong to different nodes, configure User base DN and Group base DN in the Advanced settings section instead of using Base DN.
3b. Attribute configuration
Map your LDAP directory attributes to SASE fields so that SASE can identify users and groups, then click Next.
| Parameter | Description | Example |
|---|---|---|
| Logon username attribute | The LDAP attribute that holds the username employees enter when logging on. Default options: cn, name, givenName, displayName, userPrincipalName, sAMAccountName. You can also enter a custom attribute. | cn |
| Display user name attribute | The LDAP attribute shown as the account username in the SASE client. Same default options as above. | cn |
| Group name attribute | The LDAP attribute used as the group name. Default options: cn, name, sAMAccountName. You can also enter a custom attribute. | cn |
| Group mapping attribute | The LDAP attribute that maps users to their groups. Default: memberOf. Make sure this matches the attribute name in your LDAP directory. | memberOf |
| Group filter | An LDAP filter to select the groups to sync. Common examples: (objectClass=organizationalUnit), (&(objectClass=organizationalUnit)(objectClass=organization)). See LDAP Filters for filter syntax. | (objectClass=organizationalUnit) |
| User filter | An LDAP filter to select the users to sync. Common examples: (objectClass=person), (&(objectClass=person)(objectClass=user)). See LDAP Filters for filter syntax. | (objectClass=person) |
| Email attribute | The LDAP attribute for email addresses. Default: email. Make sure this matches the attribute name in your directory. | |
| Mobile phone number attribute | The LDAP attribute for phone numbers. Default: telephoneNumber. Make sure this matches the attribute name in your directory. | telephoneNumber |
userPrincipalName includes a domain suffix. If you select it as the logon username attribute, users must enter their full domain suffix when logging on — for example, user***@aliyundoc.com.
3c. Logon and authentication methods
Configure how employees authenticate when they log on to the SASE client.
| Parameter | Options |
|---|---|
| PC logon method | Logon with account and password / Password-free logon |
| Two-factor authentication | Verification code-based authentication (Text message verification — requires a mobile phone number for each user) / OTP-based authentication (requires a working OTP client; supported clients: Google Authenticator, Microsoft Authenticator, and Alibaba Cloud App) |
Click OK.
Validate the connection:
Click Logon Test to check whether the configuration is valid. If the test fails with the message Failed to connect to the LDAP server. Contact the administrator, verify that the server address, port number, and network connectivity are correct.
Verify that the organizational structure synced:
Go to the User Group Management tab and click Create User Group. The panel should display the organizational structure from your LDAP IdP. Allow up to 30 seconds for the initial sync to complete. If the structure does not appear, refresh the page.
Step 2: Verify the IdP connection
Confirm that the connection works end-to-end by logging on to the SASE client as an LDAP user.
Open the SASE client.
On the SASE Client Logon page, enter your enterprise authentication identifier and click Confirm. Find the enterprise authentication identifier on the Settings page of the SASE console.
(Optional) If you configured SMS verification, enter the verification code you receive.
Log on with the account and password of user1. If authentication succeeds, the IdP is connected to SASE.