Connect WeCom (企业微信) to SASE to sync your company's organizational structure and let employees log on to the SASE App using their existing WeCom accounts. After the connection is set up, you can:
Automatically sync your WeCom organizational structure and employee information to SASE
Apply identity-driven security policies based on your existing WeCom groups and users
Eliminate manual user provisioning in SASE
Limits
Up to 5 identity sources can be enabled at the same time.
Only 1 of the 5 can be a custom identity source.
If you've reached the limit, disable an existing identity source before enabling a new one.
Prerequisites
Before you begin, ensure that you have:
A WeCom administrator account — required to scan the authorization QR code
The Schema value for your organization — submit a ticket to contact SASE engineers to get this value before starting
Configure a WeCom identity source
Step 1: Create the IdP in SASE
Log on to the SASE console.
In the navigation pane, choose Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select WeCom, click Configure, and set the following parameters.
Parameter Description IdP name A display name for the WeCom identity source. Must be 2–100 characters and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_). Description A description shown as the logon title on the SASE client, providing identity source context during logon. IdP status Whether the identity source is active after creation. Enabled: active immediately. Closed: inactive after creation. ImportantIf you disable an identity source, employees cannot use the SASE App to access internal applications.
Automatic synchronization When enabled, the system syncs organizational structure from WeCom automatically at the configured interval. When disabled, you must trigger synchronization manually. Synchronize user information When enabled, employee information is synced automatically based on the Automatic synchronization cycle. This setting has no effect if Automatic synchronization is disabled. Automatic synchronization cycle The sync interval. Set a value from 1 hour to 24 hours. Click Obtain Authorization QR Code, then use your WeCom administrator account to scan the QR code.
After authorization succeeds, the new WeCom identity source appears on the Identity synchronization tab.
Step 2: Configure the schema
On the Identity synchronization tab, find the WeCom identity source and click Edit in the Actions column.
In the Edit IdP panel, enter the Schema value.
ImportantSubmit a ticket to contact SASE engineers to get your Schema value before this step.
Click Next.
Step 3: Configure synchronization scope and field mappings
In the Synchronization Settings wizard, configure the following settings, then click Confirm.
| Parameter | Description |
|---|---|
| Organizational structure synchronization | Defines which parts of your WeCom org structure to sync. Synchronize all: syncs the entire organizational structure. Partially synchronize: select specific departments to sync. |
| Field synchronization mapping | Maps fields from your WeCom organizational structure to SASE fields. If the built-in Local field after mapping fields don't meet your needs, click View extended fields in the upper-right corner to add, edit, or delete extension fields. |
Step 4: Set the WeCom app visibility scope
After you add the WeCom identity source, SASE automatically creates a self-managed application in WeCom. Set the Visibility Scope for this application in WeCom to ensure the organizational structure syncs correctly to SASE.
For instructions on setting the visibility scope, see How to set the visibility scope for third-party applications.
View synchronization records
On the Identity synchronization tab, find the identity source and click Synchronize Records in the Actions column.
On the Synchronize Records page, click a task in the Synchronization Task area on the left to view its details on the right.
Click Details in the Actions column to see the field-level comparison between Third-party Data Source and SASE Data Source for that synchronization.
Manual synchronization
If you didn't enable Automatic Synchronization when configuring the identity source, or if your organizational structure has changed and you need an immediate sync, click Create Synchronization Task, then click OK. Wait for the task to complete before viewing the synchronization records.
After synchronization completes, view the synced organizational structure and employee information on the Identity Authentication > Identity Access > Employee Center tab. For more information, see Employee Center.
Disable automatic synchronization
Use either of the following methods:
On the Identity synchronization tab, find the identity source and turn off the switch in the Automatic Synchronization column.
In the Edit IdP panel, turn off the automatic synchronization switch.
More operations
| Operation | Steps |
|---|---|
| Edit a WeCom identity source | On the Identity synchronization tab, find the WeCom identity source and click Edit in the Actions column. |
| Disable a WeCom identity source | On the Identity synchronization tab, find the WeCom identity source and turn off the switch in the IdP Status column. |
| Delete a WeCom identity source | On the Identity synchronization tab, find the WeCom identity source and click Delete in the Actions column. |
What's next
Use a different identity source
If your company uses a different directory service, connect it to SASE:
Configure a SASE identity source — if your company doesn't use an external directory, use SASE's built-in custom identity source
Organize users outside the org structure
To create user groups that span departments or sit outside the synchronized organizational structure, see User group management.