Secure Access Service Edge:Connect to a custom identity provider

Prerequisites

Before you begin, ensure that you have:

• An activated SASE service. After activation, a default custom IdP is created automatically — skip the creation steps if it already exists.

• Confirmed that no other custom IdP is currently enabled, or that you are prepared to disable it first. Only one custom IdP can be enabled at a time.

Create a custom identity provider

1. Log on to the SASE console.

2. In the left navigation pane, choose Identity Authentication > Identity Access.

3. On the Identity synchronization tab, click Create IdP.

4. In the Create IdP panel, select Custom IdP, then click Configure.

5. In the Basic Configurations section, set the following parameters, then click Next.

   Important

   Disabling the custom identity provider prevents end users from using the SASE App to access internal applications. Proceed with caution.

   Parameter	Description
   IdP Name	A name for the custom IdP. Must be 2–100 characters and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
   IdP Status	Set to Enabled if no other custom IdP is currently enabled. Set to Closed if another custom IdP is already enabled — you can enable this new one after disabling the existing one.

6. In the Logon Settings section, configure logon methods for PCs and mobile devices.

   PC logon method

   Option	Details
   Logon with Account and Password	Users log on with a username and password. Optionally enable Two-factor Authentication (see below).
   Password-free Logon	Users must first download and log on to the SASE mobile app, and then scan a QR code to authenticate.

   (Optional) If you select Logon with Account and Password for PCs, enable Two-factor Authentication and select an OTP Mode:

   • Allow SASE mobile client to display tokens — Uses the built-in one-time password (OTP) feature in the SASE mobile app. Employees must have the app installed.

   • Allow third-party app tokens — Works with standard OTP apps such as the Alibaba Cloud app. Make sure the OTP client clock is synchronized.

   • Allow proprietary enterprise tokens — For self-developed OTP systems. Configure this with the help of technical personnel.

   Alternatively, enable Verification Code-based Authentication: users receive a verification code by text message or email. Make sure each user account has a mobile phone number or email address configured in the IdP.

   Mobile device logon method

   Option	Details
   Logon with Account and Password	Users log on with a username and password. Optionally enable Two-factor Authentication (see below).
   Fingerprint or Face Recognition	Biometric authentication. Users must still enter a username and password on the first logon.

   (Optional) If you select Logon with Account and Password for mobile devices, enable Two-factor Authentication:

   • OTP-based Authentication — First enable OTP for PCs and select either Allow Tokens on Third-party Applications or Allow Enterprise-owned Tokens. The token configuration for mobile devices mirrors the PC configuration.

   • Verification Code-based Authentication — Make sure each user account has a mobile phone number or email address configured in the IdP.

7. Click Confirm.

Manage custom identity providers

What's next

If your enterprise already uses an external IdP, connect it to SASE to import your existing organizational structure and user directory:

• Connect to an LDAP identity provider

• Connect to a DingTalk identity provider

• Connect to a WeCom identity provider

• Connect to a Lark identity provider

• Connect to an IDaaS identity provider

To create user groups outside your enterprise organizational structure, see User Group Management.