Secure Access Service Edge:Use SASE to ensure secure access of IDaaS (old version) users

Scenario

SASE helps manage private access permissions and Internet access permissions for your enterprise and protect your office data. If you use IDaaS to manage the user information of your enterprise, you can connect your IDaaS IdP to SASE to allow users to log on to the SASE client by using IDaaS accounts. This way, you do not need to maintain another identity management system for SASE, which reduces the costs for maintaining user information.

Prerequisites

• SASE is activated, and the SASE client is installed. For more information, see Billing overview.

• IDaaS is activated. For more information, see Create an instance for free.

Process

Step 1: Obtain the values of the SP Entity ID and SP ACS URL parameters

To obtain the values, log on to the SASE console and click Identity Access. On the IdP Management tab, click Add IdP. In the Add panel, set the Enterprise IdP parameter to IDaaS to obtain the values of the SP Entity ID and SP ACS URL parameters.

Step 2: Create a SAML application and grant the permissions to access the application

Create a SAML application for SASE and IDaaS to exchange authentication and authorization data across security domains.

1. Create an Alibaba Cloud Enterprise Identity Access Management (EIAM) instance. For more information, see Create an instance for free.

2. Create a SAML application and grant the permissions to access the application.

   1. Log on to the IDaaS console by using the administrator account. In the left-side navigation pane, click EIAM.

   2. On the Legacy Version tab, find the EIAM instance that you created and click Manage in the Actions column.

   3. In the left-side navigation pane, choose Applications > Add Applications.

   4. Find an existing SAML application and click Add Application in the Actions column.

      You can also enter SAML in the search box to search for an existing SAML application.

   5. In the Add Application (SAML) panel, click Add SigningKey. In the Add SigningKey panel, configure the parameters to create a SAML application. Then, click Submit.

   6. In the Add Application (SAML) panel, find the SAML application that you added and click Select in the Actions column. Configure the parameters and click Submit. The following table describes the parameters.

      Parameter	Description	Example
      Application Name	The name of the application.	SAML_test123
      IDaaS IdentityId	The ID of your IDaaS IdP that is used for authentication. You must specify this parameter.	test
      SP Entity ID	The value of the parameter is fixed.	https://saml-csas.aliyuncs.com/saml/metadata
      SP ACS URL(SSO Location)	The value of the parameter is fixed.	https://saml-csas.aliyuncs.com/saml/acs
      NameIdFormat	The ID format of the name. You must select a format from the drop-down list.	farmat****
      Binding	The method that your IDaaS IdP uses to send a SAML response to the Assertion Consumer Service (ACS) URL provided by a third-parity application or service provider. Retain the default value POST.	POST
      Assertion Attribute	The attribute of the SAML assertion. After you configure an attribute, the attribute is added to the SAML assertion. The name of an attribute is custom, and the value of an attribute must be the corresponding attribute value of an account. You must configure the following assertion attributes: Username Email Phone number Note The assertion attributes that you configure must be consistent with the default attribute settings for an IDaaS IdP in SASE. The default attribute settings are displayed in the Attribute Configuration section when you create a single IDaaS IdP on the IdP Management tab in the SASE console.	Username Email Phone number
      Account Linking Type	Account association: The system requires manual association based on the relationship between an IDaaS account and an application account. The administrator must review the manual association. Account mapping: The system automatically maps the name of an IDaaS account or a specified field to an application account.	Account mapping

   7. After the application is added, click Grant Permissions in the dialog box that appears.

   8. On the Application authorization subject tab of the Application Authorization page, select the SAML application SAML_test123 that you created and grant the permissions to accounts. Then, click Save.

Step 3: Obtain the metadata file and API information

Perform the following operations to obtain the metadata file and API information to connect your IDaaS IdP to SASE.

1. Log on to the IDaaS console by using the administrator account. In the left-side navigation pane, click EIAM.

2. On the Legacy Version tab, find the EIAM instance that you created and click Manage in the Actions column.

3. In the left-side navigation pane, choose Applications > Application List. On the Application List page, find the SAML application SAML_test123 that you created and click Details in the Actions column.

4. In the Application Information section, click View Details.

5. In the Application Details (SAML) panel, click Export Metadata.

6. In the API section of the Application List page, turn on the API switch and save the values of the API Key and API Secret parameters to your computer.

Step 4: Connect an IDaaS IdP to SASE

Add an IDaaS IdP on the IdP Management tab to connect the IDaaS IdP to SASE.

1. Log on to the SASE console. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.

2. On the IdP Management tab, click Add IdP.

3. In the Add panel, set the Authentication Type parameter to Single IdP and the Enterprise IdP parameter to IDaaS and configure other parameters. Then, click OK.

   Parameter	Description	Example
   IdP Configuration Status	Enabled: If no IdP is enabled, you can enable the created IDaaS IdP. If another IdP is enabled, the created IdP is disabled. After you disable another IdP on the IdP Management tab, you can enable the created IdP. Note Only one IdP can be enabled. Disabled: You can disable the created IdP and enable it later.	Enabled
   Configuration Name	The name of the IDaaS IdP. The name must be 2 to 100 characters in length, and can contain letters, digits, underscores (_), and hyphens (-).	test123
   Description	The description of the IdP. The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.	IDaaS
   SAML Metadata File	For more information about how to obtain the metadata file, see Step 3: Obtain the metadata file and API information in this topic.	None
   Grant Read Permissions on Organizational Structure	Specifies whether to synchronize the organizational structure of your enterprise. If you select this option, security policies can be applied in batches based on the organizational structure. For more information about how to obtain the values of the API Key and API Secret parameters, see Step 3: Obtain the metadata file and API information in this topic.	API Key: dingwjlht8b93ara**** API Secret: 1Uji1mEjhmWq_SmE0KNScspYk0bBgDrlZ95vUTR-bn4FbfeVQQKNr1_1giWA****

Step 5: Check whether the IdP is connected

1. Open the SASE client that you download.

2. On the SASE Client Logon page, enter your enterprise authentication identifier and click Confirm.

   You can obtain the enterprise authentication identifier on the Settings page of the SASE console.

3. Optional. If text message-based verification is enabled for user logon, enter the authentication code that you receive on the SMS authentication page.

4. Enter your IDaaS account and password to log on.

   If the logon is successful, the IdP is connected to SASE.