Synchronize IDaaS data source information to SASE - Secure Access Service Edge

Secure Access Service Edge (SASE) enforces identity-driven security policies. If your enterprise uses an Identity as a Service (IDaaS) identity provider (IdP) to manage its organizational structure, you can connect the IDaaS IdP to SASE without having to reconfigure user identity information. After you connect the IDaaS IdP to SASE, your users can log on to the SASE App with their existing enterprise accounts. This topic describes how to connect an IDaaS IdP to SASE.

Limits

You can enable a maximum of five IdPs at the same time, but only one of them can be a custom IdP. If you have reached this limit, you must disable an existing IdP before you can enable a new one.

Configure an IDaaS data source

Log on to the SASE console.
In the navigation pane, select Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select IDaaS and click Configure.

The configuration process differs for the new and previous versions of IDaaS. Complete the configuration by following the steps in the wizard.

IDaaS new version configuration process

In the Basic Configurations step, configure the parameters as described in the following table.

Configuration item	Note
IdP Name	The name of the IDaaS identity source. The name must be 2 to 100 characters long and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
Description	The description of the configuration. This description appears as the logon title on the SASE client. This lets you identify the identity source when you log on.
IdP Status	Configure the identity source status as needed. The options are: Enabled: The identity source is enabled after it is created. Disabled: The identity source is disabled after it is created. Important Disabling the identity source prevents end users from accessing internal applications with the SASE app. Proceed with caution.
IDaaS Version	Select New Version.
Regional Instance	Select the region for the instance. You can select a region in Chinese Mainland or Outside Chinese Mainland.
SAML Metadata File	Upload the SAML metadata file. This file is automatically generated by IDaaS when you create an Alibaba Cloud SASE application on the Single Sign-On tab.
Grant Read Permissions on Organizational Structure	Grant permission to read the departmental structure as needed. Valid values: Yes: Enter the IDaaS API information to get the enterprise directory structure list. Set the following fields: Instance ID: The ID of the new EIAM instance that you created. Application ID: The ID of the Alibaba Cloud SASE application that you added to the new EIAM instance. client_id: The interface authentication ID. IDaaS automatically generates this ID when you create an Alibaba Cloud SASE application on the General Configuration tab. client_secret: The interface authentication key. IDaaS automatically generates this key when you create an Alibaba Cloud SASE application on the General Configuration tab. Public Key Endpoint: The endpoint link for public key signature verification. IDaaS automatically generates this link when you create an Alibaba Cloud SASE application on the Account Synchronization tab. URL for Receiving Synchronization Requests: Copy this address from the SASE console to the Synchronization receive address field in the IDaaS console. Encryption/Decryption Key: The key for encryption and decryption. IDaaS automatically generates this key when you create an Alibaba Cloud SASE application on the Account Synchronization tab. Note After you complete the configuration, you can deliver security policies in batches based on the directory list. The system does not read your employee information when delivering security policies. Automatic Synchronization: After you turn on the Automatic Synchronization switch, the system will automatically sync relevant information from IDaaS based on the synchronous mode. If you have not enabled Automatic Synchronization, you must manually synchronize the organizational structure. For more information, see View synchronization records. Synchronize User Information: After you turn on the Synchronize User Information switch, the system automatically syncs employee information from WeCom based on the Automatic Synchronization Cycle. Note If the Automatic Synchronization feature is not enabled, the Synchronize User Information feature is not executed. Automatic Synchronization Cycle: Specifies the Automatic Synchronization Cycle. You can set the interval to a value from 1 to 24 hours. No: Do not grant permission to read the departmental structure.

If you select No for Grant Read Permissions on Organizational Structure, click Confirm to complete the configuration.
If you select Yes, click Connectivity Test. After the test is successful, click Next.

In the Synchronization Settings step, configure the synchronization scope and field mappings for the organization, and then click Confirm.

Configuration item

Note

Organizational Structure Synchronization

Configure the synchronization scope for the organizational structure.

Synchronize All: Syncs the entire organizational structure from IDaaS to the SASE system.
Partially Synchronize: Select the organizational structure to synchronize.

Field Synchronization Mapping

Configure the mapping between IDaaS organization structure fields and SASE sync fields.

Note

If the built-in Local Field After Mapping in the SASE system do not meet your needs, click View Extended Fields in the upper-right corner of the list. The View Extended Fields panel lets you add, edit, or delete extension fields.

IDaaS previous version configuration process

In the Basic Configurations step, configure the parameters as described in the following table.

Configuration item	Note
IdP Name	The name of the IDaaS configuration. The name must be 2 to 100 characters long. It can contain Chinese characters, letters, numbers, hyphens (-), and underscores (_).
Description	The description of the configuration. This description appears as the logon title in the SASE client. The title helps you identify the identity source when you log on.
IdP Status	Configure the identity source status as needed. Valid values: Enabled: The identity source is enabled after it is created. Disabled: The identity source is disabled after it is created. Important Disabling the identity source prevents end users from accessing internal applications with the SASE app. Proceed with caution.
IDaaS Version	Select Old Version.
SAML Metadata File	Upload the SAML metadata file. IDaaS automatically generates this file when you create the SAML application.
Grant Read Permissions on Organizational Structure	Grant permission to read the department structure as needed. Valid values: Yes: Enter the API information for IDaaS to get the list of corporate directory structures. Set the API Key and API Secret, and configure automatic synchronization features. Note After you configure this, you can batch-deliver security policies based on the directory list. The system does not read your employee information when delivering security policies. Automatic Synchronization: After you turn on the Automatic Synchronization switch, the system automatically synchronizes relevant information from IDaaS based on the synchronous mode. If you do not turn on Automatic Synchronization, you must manually synchronize the organizational structure. For more information, see View synchronization records. Synchronize User Information: After you turn on the Synchronize User Information switch, the system automatically synchronizes employee information from WeCom based on the Automatic Synchronization Cycle. Note If the Automatic Synchronization feature is not enabled, the Synchronize User Information feature is not executed. Automatic Synchronization Cycle: Set the Automatic Synchronization Cycle. You can set the automatic synchronization to run every 1 to 24 hours. No: Does not grant permission to read the department structure.
SP Entity ID	The entity ID of the business system. Static field: https://saml-csas.aliyuncs.com/saml/metadata.
SP ACS URL	The service endpoint that accepts SAML requests. Static field: https://saml-csas.aliyuncs.com/saml/acs.

If you select No for Grant Read Permissions on Organizational Structure, click Confirm to complete the configuration.
If you select Yes, click Connectivity Test. After the test is successful, click Confirm to complete the configuration.

View synchronization records

If you selected Grant Read Permissions on Organizational Structure and enabled the automatic synchronization feature when you configured the identity source, you can view the synchronization records after the automatic synchronization is complete.

On the Identity synchronization tab, locate the identity source and click Synchronize Records in the Actions column.
On the Synchronize Records page, you can view the synchronization records for the identity source.
In the Synchronization Task area on the left, click a sync task to view the corresponding synchronization information in the list on the right.
Click Details in the Actions column to view the field information for the Third-party Data Source and the SASE Data Source.

Manual synchronization

You must manually synchronize the architecture information if you did not enable Automatic Synchronization when you configured the identity source, or if the architecture of your identity source changes. To do this, click Create Synchronization Task and then click OK. After the sync task is complete, you can view the synchronization records.

Note

After a successful synchronization, you can view the synchronized organizational structure and employee information on the Identity Authentication > Identity Access > Employee Center tab. For more information, see Employee Center.

Disable automatic synchronization

On the Identity synchronization page, locate the identity source and turn off the switch in the Automatic Synchronization column.
In the Edit IdP panel, turn off the automatic synchronization switch.

Edit an IDaaS data source

On the Identity synchronization page, locate the IDaaS identity source that you want to edit and click Edit in the Actions column.

Disable an IDaaS data source

On the Identity synchronization page, locate the IDaaS identity source that you want to disable and turn off the switch in the IdP Status column.

Delete an IDaaS data source

On the Identity synchronization page, locate the IDaaS identity source that you want to delete and click Delete in the Actions column.

References

Configure a SASE data source

If your enterprise does not use a third-party IdP, you can establish an organizational structure using a custom IdP provided by SASE. For more information, see Configure a SASE IdP.

Connect a third-party data source

If your enterprise uses an Identity Provider (IdP) such as LDAP, DingTalk, WeCom, Lark, or IDaaS to manage its organizational structure, you can connect the IdP to SASE.

Configure a user group

To create a user group outside of your organization's structure, see User group management.