Synchronize DingTalk identity provider information to SASE - Secure Access Service Edge

SASE enforces security policies based on user identity. If your company manages its organization in DingTalk, connect DingTalk to SASE as an identity provider (IdP). Employees can then log on to the SASE app with their existing DingTalk accounts—no new identities needed.

Limits

Up to five identity providers can be enabled at the same time.
Only one custom identity provider can be enabled at a time.

If you have reached either limit, disable an existing IdP before enabling a new one.

Connect DingTalk to SASE

The setup has two phases: gathering credentials from the DingTalk Open Platform, then configuring the IdP in the SASE console.

Phase 1: Gather credentials from DingTalk Open Platform

Before opening the SASE console, collect the following values from the DingTalk Open Platform:

Credential	Where to find it
CorpId	Homepage of the DingTalk Open Platform
AppKey	Credentials and Basic Information page of your app
AppSecret	Credentials and Basic Information page of your app
AES Encryption Key (optional)	Event Subscription page of your app
Encryption token (optional)	Event Subscription page of your app

The AES Encryption Key and Encryption token are required only if you want to enable event subscription, which keeps SASE in sync with org-structure changes in real time.

Phase 2: Configure the identity provider in SASE

Log on to the SASE console.
In the navigation pane, choose Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select DingTalk and click Configure.

In the Basic Configurations wizard, fill in the fields described in the following table. At the bottom of the panel, three links are available for configuring the DingTalk Open Platform:

Copy Request URL — use this URL to set up subscription management in the DingTalk Open Platform
Copy Application Homepage Address — use this URL to view application details in the DingTalk Open Platform
Copy Callback Domain Name — use this domain name to set the callback domain in the DingTalk Open Platform

Important

Disabling an identity source prevents end users from accessing internal applications through the SASE app. Proceed with caution.

Field	Required	Description
IdP Name	Required	A name for this identity provider. Length: 2–100 characters. Allowed: Chinese characters, letters, digits, hyphens (-), and underscores (_).
Description	Optional	A description that appears as the login title in the SASE client.
IdP Status	Required	Enabled: activate the IdP immediately after creation. Closed: create the IdP in a disabled state.
CorpId	Required	Your company's unique ID in DingTalk. Get it from the DingTalk Open Platform homepage.
AppKey	Required	The AppKey of your DingTalk app. Get it from the Credentials and Basic Information page.
AppSecret	Required	The AppSecret of your DingTalk app. Get it from the Credentials and Basic Information page.
DingTalk Type (Advanced Settings)	Required	Select DingTalk Standard or Dedicated DingTalk.
AES Encryption Key (Advanced Settings)	Optional	Required only if enabling event subscription. Get the `aes_key` from the Event Subscription page.
Encryption token (Advanced Settings)	Optional	Required only if enabling event subscription. Get the encryption token from the Event Subscription page.
Automatic Synchronization	Optional	When enabled, SASE syncs organizational data from DingTalk on the configured schedule. When disabled, sync must be triggered manually. For more information, see View synchronization records.
Synchronize User Information	Optional	When enabled, SASE syncs employee information from DingTalk based on the Automatic Synchronization Cycle. Requires Automatic Synchronization to be enabled.
Automatic Synchronization Cycle	Optional	How often SASE pulls data from DingTalk. Set an interval between 1 hour and 24 hours.
LOGO	Optional	Upload a custom logo.

Click Connectivity Test. After the test passes, click Next.
If the connectivity test fails, verify that the server address and server port are correct.

In the Synchronization Settings wizard, configure the sync scope and field mappings, then click Confirm.

Field	Description
Organizational Structure Synchronization	Synchronize All: sync the entire org structure from DingTalk. Partially Synchronize: select specific org units to sync.
Field Synchronization Mapping	Map DingTalk org fields to SASE fields. If the built-in Local Field After Mapping options don't meet your needs, click View Extended Fields in the upper-right corner to add, edit, or delete extended fields.

View synchronization records

On the Identity synchronization tab, find the identity source and click Synchronize Records in the Actions column.
On the Synchronize Records page, view the synchronization records for the identity source.
In the Synchronization Task area on the left, click a sync task to see its details on the right.
Click Details in the Actions column to view the field data from the Third-party Data Source (DingTalk) and the SASE Data Source.

Trigger manual synchronization

If Automatic Synchronization is disabled, or if your org structure has changed and you need an immediate update:

Click Create Synchronization Task and then click OK.
Wait for the task to complete before viewing the results.

After synchronization completes, the updated org structure and employee information are available under Identity Authentication > Identity Access > Employee Center. For details, see Employee Center.

More operations

Disable automatic synchronization

Use either of the following methods:

On the Identity synchronization tab, find the identity source and turn off the switch in the Automatic Synchronization column.
In the Edit IdP panel, turn off the automatic synchronization switch.

Edit the DingTalk identity provider

On the Identity synchronization tab, find the DingTalk identity provider and click Edit in the Actions column.

Disable the DingTalk identity provider

On the Identity synchronization tab, find the DingTalk identity provider and turn off the switch in the IdP Status column.

Delete the DingTalk identity provider

On the Identity synchronization tab, find the DingTalk identity provider and click Delete in the Actions column.

What's next

Use the SASE built-in identity provider

If your organization doesn't use an external identity provider, build your organization with the SASE custom identity provider. See Configure a SASE identity provider.

Connect other identity providers

SASE supports identity providers including LDAP, DingTalk, WeCom, Lark, and IDaaS:

Manage user groups

To create user groups outside your org structure, see Manage user groups.