All Products
Search

This Product

    Secure Access Service Edge:Best practices for password-free logon to the SASE client

    Document Center

    Secure Access Service Edge:Best practices for password-free logon to the SASE client

    最終更新日:Nov 21, 2025

    This document describes how to enable password-free logon for the SASE client. This feature uses identity authentication to improve the user experience and access efficiency.

    Prerequisites

    • You have enabled SASE. If you have not enabled SASE, you must purchase and enable the service. For more information, see Purchase service. You can also apply for a 7-day free trial. For more information, see Apply for a free trial.

    • The SASE client installed on your corporate devices is version 4.8.5 or later.

    • If your organization uses a corporate identity source to manage its structure, you must first complete identity synchronization. Then, you must enable the identity source to sync the organizational structure. This allows employees to use a unified corporate identity to log on to the SASE client. You must also enable the custom identity source.

      Note

      After you activate SASE, the system automatically creates a custom identity source. In the navigation pane on the left, click Identity Authentication > Identity Access. On the Identity synchronization tab, enable the custom identity source. You can also add users to the custom identity source on the Employee Center tab. For more information, see Employee Center.

    Procedure

    Step 1: Enable the password-free logon policy

    You can enable this feature to allow the client to run without requiring a logon. Devices that are not attached to an identity source connect anonymously. Data protection and endpoint protection policies still apply. To apply internal network access policies, you must log on manually to configure them.

    1. Log on to the SASE console.

    2. In the navigation pane on the left, choose Identity Authentication > Identity Access.

    3. On the Authentication Management tab, click Single Sign-On Policy.

    4. In the Client Auto-Sign-In Policy panel, enable the policy, configure the logon-free scope, and view the devices to which the policy applies.

      Configuration item

      Description

      Enable Client Auto-Sign-In

      Enables the client logon-free policy.

      Scope of Automatic Sign-In

      • All Devices: Refers to all devices in the platform's endpoint list, including manually imported company devices. After the policy takes effect, these devices connect with an anonymous identity without requiring a logon. You must enable custom identity source authentication. In the navigation pane on the left, choose Terminal Management > Terminals to view enterprise endpoint information.

      • Authenticated Devices: Refers to all devices for which device authentication has been configured in the extension authentication source. After the policy takes effect, these devices connect using the owner's identity without requiring a logon.

      Automatic Sign-In Status

      The devices on which the policy is currently in effect. You can click the device count to go to the Terminals page and view information about the effective devices.

    5. Click OK.

    Step 2: Add an extension authentication source

    The password-free logon feature requires information about the logon device and user. If you set the Scope of Automatic Sign-In to All Devices when you configure the policy, SASE automatically creates an extension authentication source. All devices in the device list can then use password-free logon without additional configuration. If you select Authenticated Devices, you must manually create an extension authentication source. Then, you must upload a file with the required device and user information using the provided template.

    1. In the upper-right corner of the Authentication Management tab, click Extended Authentication Source.

      image

    2. On the Extended Authentication Source page, click Add Extended Authentication Source.

    3. In the Add panel, configure the extension authentication source as described in the following table, and then click OK.

      Configuration Item

      Description

      Authentication Source Name

      The name of the extension identity source.

      The name must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).

      Description

      The description of the configuration.

      This description appears as the logon title in the SASE client to help you identify the identity source during logon.

      Extended Authentication Source Configuration > Authentication Source Type

      Set Authentication Source Type to Device Authentication.

      1. Click Download Import Template. Fill in the information for the devices that will use password-free logon (MAC address, SN, and hostname) and the user information (name, phone number, and email).

        image

      2. Drag the file or click to browse for a local file to upload the template to SASE.

        Note

        If the uploaded file contains duplicate information, password-free logon will not be enabled for that device.

      Associated IdP

      Select a created identity source.

      Important

      SASE matches the uploaded device and user information with the information in the associated identity source. If any device information matches, password-free logon is enabled for the client. If the user information also matches, the corresponding username is displayed after logon. If the user information does not match, the username is displayed as anonymous (Company Employee).

    Step 3: Log on to the client

    1. Open the installed SASE client.

    2. Enter the enterprise identity and click Confirm to log on automatically. If the user information does not match, the username is displayed as Company Employee.