Use SASE to ensure secure access of WeCom users - Secure Access Service Edge

A connection between Secure Access Service Edge (SASE) and WeCom allows users to log on to the SASE client by using WeCom accounts. This way, you can manage access permissions of WeCom users in the SASE console to ensure the security of office data in your enterprise. This topic describes how to connect a WeCom identity provider (IdP) to SASE.

Scenario

SASE helps manage private access permissions and Internet access permissions for your enterprise and protect your office data. If you use WeCom to manage the user information of your enterprise, you can connect your WeCom IdP to SASE to allow users to log on to the SASE client by using WeCom accounts. This way, you do not need to maintain another identity management system for SASE, which reduces the costs for maintaining user information.

Prerequisites

SASE is activated, and the SASE client is installed. For more information, see Apply for a free trial and Use the settings feature.

Note

The descriptions related to WeCom features in this topic are for reference only. For more information, see official WeCom documentation.

Step 1: Connect a WeCom IdP to SASE

You must connect a WeCom IdP to SASE on the IdP Management tab in the SASE console.

Log on to the SASE console. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.
On the IdP Management tab, click Add IdP.

In the Add IdP panel, set Authentication Type to Single IdP and Enterprise IdP to WeCom. Then, configure the parameters to create a WeCom IdP.

The following table describes the parameters.

Parameter	Description	Example
Configuration Name	The name of the WeCom IdP. The name must be 2 to 100 characters in length, and can contain letters, digits, hyphens (-), and underscores (_).	test_123
Description	The description of the IdP. The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.	WeCom data source
IdP Configuration Status	Specifies whether to enable the IdP. Valid values: Enabled: If no IdP is enabled, you can enable the created IdP. Disabled: If another IdP is enabled, you can disable the created IdP. After you disable another IdP on the IdP Management tab, you can enable the created IdP. Important If you turn off IdP Configuration Status, users cannot access office applications by using the SASE client. Proceed with caution.	Enabled

Click Obtain Authorization QR Code and use WeCom to scan the quick response (QR) code as an administrator.
After the authorization is complete, click View in List.
Configure the Schema parameter. Then, click OK.
You must contact the SASE technical support team to obtain the value of the Schema parameter. Example: wwauth4151efa784c9324d00****.

After you configure a WeCom IdP, a self-managed SASE application is automatically created on WeCom. You must configure the visibility range of the self-managed SASE application on WeCom to ensure that the organizational structure in WeCom is synchronized to the self-managed SASE application. During the process, the SASE technical support team need to submit an application for application permission change. The WeCom administrator of your enterprise needs to grant the permissions that are required in the application. For more information, see How to configure the visibility range of a third-party application.

Step 2: Check whether the IdP is connected

After the IdP is connected, a user can use a WeCom account to log on to the SASE client.

Open the SASE client.
On the Welcome page, enter your enterprise authentication identifier and click OK.
You can obtain the enterprise authentication identifier on the Settings page of the SASE console.
Enter your WeCom account and password and click Login.
If the logon is successful, the IdP is connected to SASE.