Secure Access Service Edge:Connect to a Lark identity provider

Step 1: Get credentials from the Lark Open Platform

Before configuring SASE, retrieve the following values from the Lark Open Platform:

Step 2: Configure the Lark data source in SASE

1. Log in to the SASE console.

2. In the left navigation pane, choose Identity Authentication > Identity Access.

3. On the Identity synchronization tab, click Create IdP.

4. In the Create IdP panel, select Lark, click Configure, and complete the configuration wizard.

5. In the Basic Configurations step, set the following parameters:

   Parameter	Description
   IdP Name	A name for the Lark data source. Must be 2–100 characters and can include Chinese characters, letters, digits, hyphens (-), and underscores (_).
   Description	A description displayed on the SASE client as the logon title. This helps employees identify the data source when logging in.
   IdP Status	The initial status of the identity source: Enabled or Closed. Important If you disable an identity source, end users cannot use the SASE app to access internal applications. Proceed with caution.
   App ID	The ID of your self-built application on the Lark platform.
   App Secret	The password of your self-built application on the Lark platform.
   Redirect URL	Static value: https://login.aliyuncsas.com/open-dev/feishu. Copy this value and configure it in the Lark Open Platform under Developer Console > Enterprise-built Application > Security Settings.
   Automatic Synchronization	Enable to let SASE automatically sync the org structure from Lark on a schedule. If disabled, you must trigger syncs manually.
   Synchronize User Information	Enable to automatically sync employee information based on the Automatic Synchronization Cycle. Has no effect if Automatic Synchronization is disabled.
   Automatic Synchronization Cycle	The sync interval. Valid values: 1 hour to 24 hours.

   (Optional) Advanced Settings — Event subscription

   Configure event subscription to push real-time org changes (such as employee resignations or department restructuring) to SASE immediately, instead of waiting for the next scheduled sync.

   Parameter	Description
   Encrypt Key	Obtained from the Address Book Synchronization page on the Lark Open Platform.
   Verification Token	Obtained from the Address Book Synchronization page of your application on the Lark Open Platform.
   Request URL	This value is used to configure the redirection URL on the Lark Open Platform.

   Subscribed events: Department Created, Department Deleted, Department Information Changed, Employee Resigned, and Employee Information Changed.

6. Click Connectivity Test. After the test succeeds, click Next.

   If the Connection Failed message appears, check whether the specified information is correct.

7. In the Synchronization Settings step, configure the sync scope and field mappings, then click OK.

   Parameter	Description
   Organizational Structure Synchronization	Synchronize All: syncs the entire org structure from Lark to SASE. Partially Synchronize: select specific parts of the org structure to sync.
   Field Synchronization Mapping	Maps Lark org structure fields to SASE fields. If the built-in Local Field After Mapping options don't meet your needs, click View Extended Fields in the upper-right corner to add, edit, or delete extension fields.

After completing the wizard, the Lark data source appears on the Identity synchronization tab.

Manual synchronization

If you did not enable Automatic Synchronization, or if your org structure has changed and you need an immediate sync, click Create Synchronization Task and then click OK. Wait for the task to complete before reviewing the records.

After a successful sync, view the updated org structure and employee information under Identity Authentication > Identity Access > Employee Center. For more information, see Employee Center.