Sync DingTalk identity source information to SASE - Secure Access Service Edge

SASE provides identity-driven security policies. If your company uses a DingTalk identity source to manage its organizational structure, you can connect it to SASE. This eliminates the need to create separate identity information for your employees. After you connect the DingTalk identity source, your employees can use their existing company accounts to log on to the SASE App. This topic describes how to connect a DingTalk identity source.

Limits

You can enable a maximum of five identity sources at a time. Only one custom identity source can be enabled at a time. If you reach the quota, you must disable an existing identity source before you can enable a new one.

Configure and enable a DingTalk identity source

Log on to the SASE console.
In the navigation pane, choose Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select DingTalk, click Configure, and then follow the wizard to complete the configuration.

In the Basic Configurations step, configure the parameters as described in the following table.

Parameter	Description
IdP Name	The name of the DingTalk identity source. The name must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
Description	The description of the configuration. This description is displayed as the logon title on the SASE client to provide information about the identity source during logon.
IdP Status	Specifies the status of the identity source. Valid values: Enabled: Enables the identity source after it is created. Disabled: Disables the identity source after it is created. Important If you disable the identity source, end users cannot use the SASE App to access internal applications. Proceed with caution.
CorpId	The ID of the enterprise in DingTalk. Each enterprise has a unique CorpId. Obtain the CorpID from the homepage of DingTalk Open Platform.
AppKey	The AppKey of the application created on DingTalk Open Platform. Obtain the AppKey from the Credentials And Basic Information page of the target application on DingTalk Open Platform.
AppSecret	The AppSecret of the application created on DingTalk Open Platform. Obtain the AppSecret from the Credentials And Basic Information page of the target application on DingTalk Open Platform.
Advanced Settings	DingTalk Type: Select DingTalk Standard or Dedicated DingTalk. Event Subscription: After you configure event subscription, the organizational structure of your employees is synchronized to SASE. This ensures that SASE security policies are promptly updated when the organizational structure is adjusted or employees leave the company. AES Encryption Key Obtain the encrypted aes_key from the Event Subscription page of the target application on DingTalk Open Platform. Encrypted Token Obtain the encrypted token from the Event Subscription page of the target application on DingTalk Open Platform.
Automatic Synchronization	After you enable Automatic Synchronization, the system automatically syncs information from DingTalk based on the synchronization mode. If you do not enable Automatic Synchronization, you must manually sync the organizational structure. For more information, see View sync records.
Synchronize User Information	After you enable Synchronize User Information, the system automatically syncs employee information from DingTalk based on the Automatic Synchronization Cycle. Note The Synchronize User Information feature does not run if Automatic Synchronization is disabled.
Automatic Synchronization Cycle	Set the Automatic Synchronization Cycle. You can set the interval from 1 hour to 24 hours.

The required URLs for the configuration are also provided. You can click the links at the bottom of the panel to copy them.

Copy Request URL: This URL is used to configure subscription management on DingTalk Open Platform.
Copy Application Homepage Address: This URL is used to view application details on DingTalk Open Platform.
Copy Callback Domain Name: This URL is used to set the callback domain name on DingTalk Open Platform.

Click Connectivity Test. After the test is successful, click Next.
Note
If the Connection Failed message appears, check whether the server address and server port are correctly configured.

In the Synchronization Settings step, configure the synchronization scope for the organizational structure and the field mappings. Then, click Confirm.

Parameter

Description

Organizational Structure Synchronization

Configure the scope for organizational structure synchronization.

Synchronize All: Syncs the entire organizational structure from DingTalk to SASE.
Partially Synchronize: Select the organizational structure to sync.

Field Synchronization Mapping

Configure the mapping between DingTalk organizational structure fields and SASE synchronization fields.

Note

If the built-in Local Field After Mapping in SASE do not meet your business requirements, click View Extended Fields in the upper-right corner of the list. In the View Extended Fields panel, you can add, edit, or delete extended fields.

View synchronization records

On the Identity synchronization tab, find the desired identity source and click Synchronize Records in the Actions column.
On the Synchronize Records page, you can view the synchronization records for the identity source.
In the Synchronization Task area on the left side of the page, click a specific sync task to view its synchronization information in the list on the right.
Click Details in the Actions column for a specific task to view the field information of the Third-party Data Source and the SASE Data Source for that synchronization.

Manual synchronization

If you did not enable Automatic Synchronization when you configured the identity source, or if the structure of your identity source has changed, you must manually synchronize the information. To do this, click Create Synchronization Task and then click OK. Wait for the sync task to complete successfully before you view the synchronization records.

Note

After the synchronization is successful, you can view the synchronized organizational structure and employee information on the Identity Authentication > Identity Access > Employee Center tab. For more information, see Employee Center.

Disable automatic synchronization

On the Identity synchronization page, find the desired identity source and turn off the switch in the Automatic Synchronization column.
In the Edit IdP panel, turn off the automatic synchronization switch.

Edit a DingTalk identity source

On the Identity synchronization page, find the DingTalk identity source and click Edit in the Actions column to modify its information.

Disable a DingTalk identity source

On the Identity synchronization tab, find the DingTalk identity source and turn off the switch in the IdP Status column.

Delete a DingTalk identity source

On the Identity synchronization page, find the DingTalk identity source and click Delete in the Actions column to delete the identity source.

References

Configure a SASE identity source

If your company does not use an existing identity source, you can use the custom identity source provided by SASE to establish an organizational structure. For more information, see Configure a SASE identity source.

Connect a third-party identity source

If your company uses one of the following identity sources to manage its organizational structure, you can connect the identity source to SASE: LDAP, DingTalk, WeCom, Lark, or IDaaS.

Configure a user group

To create user groups outside your company's organizational structure, see User group management.