Connect your company's IDaaS (Identity as a Service) identity provider to SASE so employees can log on to the SASE App with their existing corporate accounts. Once connected, you can issue security policies based on your organizational structure without re-creating identity data in SASE.
Prerequisites
Before you begin, ensure that you have:
Access to the SASE console
Admin access to your IDaaS instance (new or old version)
The SAML metadata file exported from your IDaaS instance
Limitations
Up to 5 identity providers can be enabled at the same time
Only 1 custom identity provider can be enabled at a time
If you've reached the limit, disable an existing identity provider before enabling a new one.
Connect an IDaaS identity provider
Log on to the SASE console.
In the left navigation pane, choose Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select IDaaS, then click Configure.
Follow the configuration wizard based on your IDaaS version:
New version: See New version IDaaS configuration
Old version: See Old version IDaaS configuration
New version IDaaS configuration
Step 1: Basic configurations
Configure the following parameters in the Basic Configurations step.
| Parameter | Description |
|---|---|
| IdP Name | A name for this identity provider configuration. Must be 2–100 characters. Allowed characters: Chinese characters, letters, digits, hyphens (-), and underscores (_). |
| Description | A description that appears as the logon title in the SASE client. Helps users identify the provider at login. |
| IdP Status | The initial status after creation. Enabled: the identity source is active immediately. Closed: the identity source is inactive. Important Disabling an identity source prevents employees from accessing internal applications via the SASE App. |
| IDaaS version | Select New Version. |
| Regional instance | The region where your IDaaS instance is located. Select Chinese Mainland or Outside Chinese Mainland. |
| SAML Metadata File | Upload the SAML metadata file. This file is auto-generated by IDaaS when you create an Alibaba Cloud SASE application on the Single Sign-on tab in the IDaaS console. |
| Grant Read Permissions on Organizational Structure | Whether to allow SASE to read your org structure for policy management. Set to Yes to enable batch security policy issuance based on departments. Set to No to skip org sync. |
| LOGO | (Optional) Upload a custom logo. |
If you set Grant Read Permissions on Organizational Structure to Yes, fill in the following API fields. These values are auto-generated by IDaaS when you set up the SASE application.
| Field | Where to find it in IDaaS |
|---|---|
| Instance ID | The ID of your EIAM (Employee Identity and Access Management) instance |
| Application ID | The ID of the Alibaba Cloud SASE application you added to the EIAM instance |
| client_id | Auto-generated on the General Configurations tab |
| client_secret | Auto-generated on the General Configurations tab |
| Public Key Endpoint | Auto-generated on the Account Synchronization tab |
| Encryption/Decryption Key | Auto-generated on the Account Synchronization tab |
| URL for Receiving Synchronization Requests | Copy this URL from the SASE console and paste it into the sync reception address field in the IDaaS console |
After configuration, SASE reads department structure only—not individual employee data—when issuing security policies.
Automatic synchronization settings (available when Grant Read Permissions is set to Yes):
| Setting | Description |
|---|---|
| Automatic Synchronization | When enabled, SASE syncs org data from IDaaS automatically. When disabled, you must sync manually. |
| Synchronize User Information | When enabled, SASE automatically syncs employee data on the configured cycle. Requires Automatic Synchronization to be enabled. |
| Automatic Synchronization Cycle | How often SASE syncs from IDaaS. Set to any interval between 1 and 24 hours. |
Connectivity test: If you set Grant Read Permissions on Organizational Structure to Yes, click Connectivity Test before proceeding.
If the test succeeds: The connection to IDaaS is verified. Click Next to continue to synchronization settings.
If the test fails: Check your API credentials (Instance ID, Application ID, client_id, client_secret) and verify that the URL for Receiving Synchronization Requests is correctly pasted in the IDaaS console. Then retry.
If you set Grant Read Permissions on Organizational Structure to No, click Confirm to complete the configuration.
Step 2: Synchronization settings
Configure the org sync scope and field mapping, then click Confirm.
| Parameter | Description |
|---|---|
| Organizational Structure Synchronization | Synchronize All: syncs the entire org structure from IDaaS. Partially Synchronize: select specific departments to sync. |
| Field Synchronization Mapping | Map IDaaS org fields to SASE fields. If the built-in Local Field After Mapping options don't meet your needs, click View Extended Fields in the upper-right corner to add, edit, or delete custom fields. |
Old version IDaaS configuration
Basic configurations
Configure the following parameters.
| Parameter | Description |
|---|---|
| IdP Name | A name for this identity provider configuration. Must be 2–100 characters. Allowed characters: Chinese characters, letters, digits, hyphens (-), and underscores (_). |
| Description | A description that appears as the logon title in the SASE client. Helps users identify the provider at login. |
| IdP Status | The initial status after creation. Enabled: the identity source is active immediately. Closed: the identity source is inactive. Important Disabling an identity source prevents employees from accessing internal applications via the SASE App. |
| IDaaS version | Select Old Version. |
| SAML Metadata File | Upload the SAML metadata file. This file is auto-generated by IDaaS when you create the application details (SAML). |
| Grant Read Permissions on Organizational Structure | Whether to allow SASE to read your org structure. Set to Yes to specify API key and automatic synchronization settings. Set to No to skip. |
| SP Entity ID | Static value: https://saml-csas.aliyuncs.com/saml/metadata (pre-filled, do not modify) |
| SP ACS URL | Static value: https://saml-csas.aliyuncs.com/saml/acs (pre-filled, do not modify) |
| LOGO | (Optional) Upload a custom logo. |
If you set Grant Read Permissions on Organizational Structure to Yes, configure the following:
| Field | Description |
|---|---|
| API Key | The API Key for IDaaS authentication |
| API Secret | The API Secret for IDaaS authentication |
| Automatic Synchronization | When enabled, SASE syncs org data from IDaaS automatically. When disabled, you must sync manually. |
| Synchronize User Information | When enabled, SASE automatically syncs employee data on the configured cycle. Requires Automatic Synchronization to be enabled. |
| Automatic Synchronization Cycle | How often SASE syncs from IDaaS. Set to any interval between 1 and 24 hours. |
After configuration, SASE reads department structure only—not individual employee data—when issuing security policies.
Connectivity test: If you set Grant Read Permissions on Organizational Structure to Yes, click Connectivity Test to verify the connection.
If the test succeeds: Click Confirm to complete the configuration.
If the test fails: Check your API Key and API Secret, then retry.
If you set Grant Read Permissions on Organizational Structure to No, click Confirm to complete the configuration.
View synchronization records
After automatic synchronization completes, review the results to confirm the org data synced correctly.
On the Identity synchronization tab, find the identity source and click Synchronize Records in the Actions column.
On the Synchronize Records page, the left panel lists individual sync tasks under Synchronization Task. Click a task to see its details on the right.
Click Details in the Actions column to compare Third-party Data Source fields against SASE Data Source fields for a specific task.
After a successful sync, view the synced org structure and employee data at Identity Authentication > Identity Access > Employee Center. For more information, see Employee Center.
Manual synchronization
If automatic synchronization is disabled, or if your org structure has changed and you need an immediate update:
On the Synchronize Records page, click Create Synchronization Task.
Click OK and wait for the task to complete.
Review the sync results in the task list.
Disable automatic synchronization
To stop automatic synchronization for an identity source, use either method:
On the Identity synchronization tab, find the identity source and turn off the switch in the Automatic Synchronization column.
Open the Edit IdP panel and turn off the automatic synchronization switch.
More operations
| Operation | Steps |
|---|---|
| Edit an IDaaS identity provider | On the Identity synchronization tab, find the provider and click Edit in the Actions column. |
| Disable an IDaaS identity provider | On the Identity synchronization tab, find the provider and turn off the switch in the IdP Status column. |
| Delete an IDaaS identity provider | On the Identity synchronization tab, find the provider and click Delete in the Actions column. |
What's next
No identity provider yet? If your company doesn't use an external identity provider, build your org structure with the SASE custom identity provider. See Configure a SASE identity provider.
Other identity providers: SASE also supports LDAP, DingTalk, WeCom, and Lark.
User groups: To create groups outside the corporate org structure, see User group management.