SASE enforces identity-driven security policies. If your organization manages its directory structure with a Lightweight Directory Access Protocol (LDAP) server — Windows Active Directory (AD) or OpenLDAP — connect it to SASE so employees can log on to the SASE app using their existing corporate accounts.
Limits
Maximum five identity sources can be enabled simultaneously.
Only one custom identity source can be enabled at a time.
To enable a new identity source when the quota is full, disable an existing one first.
Disabling an identity source prevents end users from using the SASE app to access internal applications. Proceed with caution.
Prerequisites
Before you begin, ensure that you have:
Access to the SASE console
Your LDAP or AD server address and port number
Administrator DN and password for the directory
(Optional) A SASE connector configured, if your LDAP server is on an internal network
Connect an LDAP identity source
Step 1: Start the configuration wizard
Log on to the SASE console.
In the left navigation pane, choose Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select LDAP, then click Configure.
Step 2: Basic configurations
Configure the following parameters, then click Next.
| Parameter | Description |
|---|---|
| IdP Name | A name for the identity source. Must be 2–100 characters. Accepts Chinese characters, letters, digits, hyphens (-), and underscores (_). |
| Description | Displayed as the logon title in the SASE client. Helps users identify the identity source at logon. |
| IdP Status | Enabled activates the identity source immediately after creation. Closed creates it in a disabled state. |
| Type | Select Windows AD for Microsoft Active Directory, or OpenLDAP for open-source LDAP. |
| Server address | The address of your AD or LDAP server. You can add up to five server addresses. |
| Server port number | The port your AD or LDAP server listens on. |
| Access authentication server from connector | If the LDAP server is on an internal network, select a connected connector instance to route access. |
| SSL connection | Set to Yes to encrypt data in transit between SASE and the LDAP server. |
| Base DN | The base distinguished name (DN) that scopes user authentication. SASE authenticates all accounts under this node. Must be 2–100 characters. |
| Organizational structure synchronization | Enter the administrator DN and password to pull the directory structure from the identity source. This enables batch policy assignment by org unit. SASE does not read individual employee data during policy issuance. |
| Logon username attribute | Maps an LDAP attribute to the username employees enter at logon. See the table below. |
Logon username attribute — choose by scenario:
| LDAP attribute | Description |
|---|---|
sAMAccountName | A default LDAP attribute for the username. |
userPrincipalName | Includes a domain suffix. Employees must enter the full UPN including the domain suffix at logon (for example, user@corp.example.com). |
cn | A default LDAP attribute for the username. |
givenName | A default LDAP attribute for the username. |
displayName | A default LDAP attribute for the username. |
name | A default LDAP attribute for the username. |
| Custom attribute | Any other LDAP-defined attribute in your schema. |
If you selectuserPrincipalName, employees must enter the full UPN including the domain suffix (for example,user@corp.example.com) when logging on.
If users and groups are not under the same node in your LDAP tree, configure User Base DN and Group Base DN separately under Advanced Settings instead of using the common Base DN field.
Continue configuring the remaining parameters:
| Parameter | Description | |
|---|---|---|
| Group name attribute | Maps an LDAP attribute to group names. Common options: cn, name, sAMAccountName. | |
| Group mapping attribute | Defines group membership relationships. Default: memberOf. If configured, the value must match what is set in your LDAP schema. | |
| Group filter | An LDAP filter expression to scope which groups are synchronized. Common examples: (&(objectClass=organizationalUnit)(objectClass=organization)) matches groups of both types; `( | (objectClass=organizationalUnit)(objectClass=organization)) matches groups of either type; (!(objectClass=organizationalUnit))` excludes a specific type. For filter syntax, see LDAP Filters. |
| User filter | An LDAP filter expression to scope which users are synchronized. Examples: (&(objectClass=person)(objectClass=user)) matches users of both types; `( | (objectClass=person)(objectClass=user)) matches users of either type; (!(objectClass=person))` excludes a specific type. |
| Automatic synchronization | Enables periodic sync from LDAP. If disabled, you must trigger synchronization manually. | |
| Synchronize user information | When enabled, syncs employee data on the automatic synchronization schedule. Requires Automatic synchronization to be enabled. | |
| Automatic synchronization cycle | The interval between automatic syncs. Set a value from 1 hour to 24 hours. |
Step 3: Synchronization settings
Configure the synchronization scope and map LDAP fields to SASE fields, then click Next.
| Parameter | Description |
|---|---|
| Organizational structure synchronization | Synchronize All imports the entire LDAP directory structure. Partially Synchronize lets you select specific organizational units. |
| Field synchronization mapping | Maps LDAP fields to SASE fields. To add custom fields beyond the built-in ones, click View Extended Fields in the upper-right corner. |
Step 4: Logon settings
Configure how employees authenticate on each device type.
PC logon
| Option | Details |
|---|---|
| Logon with account and password | Standard username/password logon. Supports two-factor authentication (2FA). |
| Password-free logon | Employees scan a QR code using the SASE mobile app. No password required. |
Two-factor authentication for PC (when using account and password):
| Method | How it works |
|---|---|
| OTP-based authentication | Requires a one-time password (OTP) token. Select one of three modes: (1) SASE mobile client generates the token — requires the SASE mobile app; (2) third-party OTP app — clock must be synchronized; (3) company-owned OTP — contact technical support to configure. |
| Verification code-based authentication | Sends a verification code via SMS or email. Each user must have a mobile number or email address configured in the identity source. |
Mobile device logon
| Option | Details |
|---|---|
| Logon with account and password | Standard username/password logon. Supports two-factor authentication. |
| Fingerprint or face recognition | Biometric authentication. On first logon, employees must enter a username and password to register. |
Two-factor authentication for mobile (when using account and password):
| Method | Prerequisite |
|---|---|
| OTP-based authentication | PC OTP must be enabled first with Allow tokens on third-party applications or Allow enterprise-owned tokens selected. Mobile OTP configuration follows the same settings. |
| Verification code-based authentication | Each user must have an email address configured in the identity source. |
Step 5: Test and confirm
After completing all configuration steps, click Logon Test at the bottom of the panel to verify connectivity.
If the test returns Failed To Connect To The LDAP Server. Contact The Administrator., check that the server address and port are correct and that the server is reachable from the SASE network.
When the test succeeds, click OK to save the configuration.
View synchronization records
On the Identity synchronization tab, find the identity source and click Synchronize Records in the Actions column.
On the Synchronize Records page, click a sync task in the Synchronization Task panel on the left to see its details on the right.
Click Details in the Actions column for a specific task to compare the Third-party data source fields against the SASE data source fields.
Trigger a manual sync
If automatic synchronization is disabled, or if your directory structure has changed, trigger a sync manually: click Create Synchronization Task, then click OK. Wait for the task to complete before reviewing the results.
After a successful sync, view the updated organizational structure and employee list under Identity Authentication > Identity Access > Employee Center. For details, see Employee Center.
More operations
| Task | How |
|---|---|
| Disable automatic synchronization | On the Identity synchronization page, turn off the switch in the Automatic Synchronization column. Alternatively, turn off the switch in the Edit IdP panel. |
| Edit the identity source | On the Identity synchronization page, click Edit in the Actions column. |
| Disable the identity source | On the Identity synchronization tab, turn off the switch in the IdP Status column. |
| Delete the identity source | On the Identity synchronization page, click Delete in the Actions column. |
What's next
Set up a custom identity source — If your organization does not use an external directory, build an organizational structure directly in SASE. See Configure a SASE identity source.
Connect other identity sources — SASE also integrates with DingTalk, WeCom, Lark, and IDaaS.
Create user groups — To define groups outside your org structure, see User group management.