This topic provides answers to some frequently asked questions about the identity management feature of Secure Access Service Edge (SASE).
I specify the required information when I add an LDAP IdP of the Windows AD type, but synchronization fails. Why?
Check whether the Base DN parameter is correctly configured. For more information, see Add an LDAP IdP.
Can I enable an LDAP IdP of the Windows AD type and a custom IdP at the same time?
SASE allows you to enable multiple identity providers (IdPs) at the same time. After you configure an LDAP IdP of the Windows AD type and a custom IdP, you can configure an IdP combination of the IdPs on the Multiple IdPs tab. For more information, see Configure an IdP combination.
After I add a DingTalk IdP, the organizational structures fail to be synchronized. Why?
Check whether the required permissions are granted when you add the IdP. The permissions to read department information and department members in the Contacts module of DingTalk are required. The first time data is synchronized, it requires 5 to 10 minutes.
Can I contact SASE engineers to obtain a value for the Schema parameter when I add a WeCom IdP?
Yes, you can contact SASE engineers to obtain a value for the Schema parameter.
After users from a DingTalk, WeCom, or Lark IdP resign, the related administrators delete the users from the background platforms of IM tools. In this case, does SASE delete the users?
If your DingTalk, WeCom, or Lark IdP is correctly configured, the SASE client is automatically deregistered. However, you can still view the users on the Terminal Management > Terminal Registration page of the SASE console. In this case, the users no longer have permissions.