All Products
Search

This Product

    Secure Access Service Edge:Use SASE to ensure secure access for WeCom users

    Document Center

    Secure Access Service Edge:Use SASE to ensure secure access for WeCom users

    Last Updated:Oct 24, 2025

    A connection between Secure Access Service Edge (SASE) and WeCom allows your enterprise users to log on to SASE directly using their WeCom accounts. This way, you can manage the access permissions of WeCom users in SASE to secure your enterprise's office data. This topic describes how to connect SASE and WeCom.

    Scenarios

    SASE helps you manage internal network access permissions, internet access permissions, and protect office data for your enterprise. This service meets your daily office security needs. If you already use WeCom to manage your enterprise's user information, connect SASE to WeCom. This lets users log on to the SASE client directly with their WeCom accounts. You no longer need to maintain a separate identity management system for SASE, which reduces costs for user information maintenance.

    Prerequisites

    SASE is activated and the SASE client is installed. For more information, see Apply for a free trial and Use the settings feature.

    Note

    The information about the WeCom platform is for reference only. For more information, see the official WeCom documentation.

    Step 1: Connect SASE to WeCom data

    You can connect to WeCom using the identity source management feature in SASE.

    1. Log on to the SASE console.

    2. In the navigation pane on the left, choose Identity Authentication > Identity Access.

    3. On the Identity synchronization tab, click Create IdP.

    4. In the Create IdP panel, select WeCom, click Configure, and then configure the parameters as described in the following table.

      Parameter

      Description

      Example

      IdP Name

      The name of the WeCom identity source.

      The name must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).

      test_123

      Description

      The description of the configuration.

      The description is displayed as the logon title on the SASE client interface. This helps users identify the identity source when they log on.

      WeCom data source

      IdP Status

      Set the status of the identity source as required. Valid values are:

      • Enabled: The identity source is enabled after creation.

      • Closed: The identity source is disabled after creation.

        Important

        If you disable an identity source, end users cannot use the SASE App to access internal applications. Proceed with caution.

      Enabled

      Automatic Synchronization

      After you enable Automatic Synchronization, the system automatically synchronizes information from WeCom based on the synchronization mode.

      If you do not enable Automatic Synchronization, you must manually synchronize the organizational structure. For more information, see Connect an LDAP IdP to SASE.

      Enabled

      Synchronize User Information

      After you enable Synchronize User Information, the system automatically synchronizes employee information from WeCom based on the Automatic Synchronization Cycle.

      Note

      The Synchronize User Information feature does not take effect if the Automatic Synchronization feature is disabled.

      Enabled

      Automatic Synchronization Cycle

      Set the Automatic Synchronization Cycle. You can set the epoch to a value from 1 hour to 24 hours.

      24 hours

    5. Click Obtain Authorization QR Code and use a WeCom administrator account to scan the QR code to grant permissions.

    6. After the authorization is successful, you can view the new WeCom identity source on the Identity synchronization tab.

    7. In the Actions column, click Edit. In the Edit IdP panel, set the Schema value. Then, click Next.

      Important

      You can obtain the Schema value from an SASE engineer by submitting a ticket. For example: wwauth4151efa784c9324d00****.

    8. In the Synchronization Settings wizard, configure the synchronization scope for the organizational structure and field mappings. Then, click OK to complete the configuration.

      Parameter

      Description

      Organizational Structure Synchronization

      Configure the synchronization scope for the organizational structure.

      • Synchronize All: Synchronizes the entire organizational structure from WeCom to the SASE system.

      • Partially Synchronize: Select the organizational structure to synchronize.

      Field Synchronization Mapping

      Configure the mapping between WeCom organizational structure fields and SASE synchronization fields.

      Note

      If the built-in Local Field After Mapping in the SASE system do not meet your business requirements, click View Extended Fields in the upper-right corner of the list. In the View Extended Fields panel, add, edit, or delete extension fields as needed.

    After you add the WeCom identity source, a self-managed SASE application is automatically created in WeCom. You must set the Visibility Range for the SASE application in WeCom to ensure that the WeCom organizational structure is synchronized to the SASE application. For more information, see How to set the visibility range of a third-party application.

    Step 2: Verify the connection

    After the connection is established, your enterprise users can log on to SASE using their WeCom accounts.

    1. Open the installed SASE App.

    2. Enter the enterprise ID, and then click Confirm.

      Log on to the SASE console. In the navigation pane on the left, go to the Settings page to obtain the Enterprise Authentication Identifier.

    3. Enter your WeCom account and password, and click Log On.

      If the logon is successful, the connection is established.