Synchronize IDaaS identity provider information to SASE - Secure Access Service Edge

SASE uses identities to issue security policies. If your company already uses an IDaaS identity provider to manage its organizational structure, you can connect the IDaaS identity provider to SASE. This eliminates the need to create identity information for your employees again. After you connect your company's IDaaS identity provider, employees can use their corporate accounts to log on to the SASE App for work. This topic describes how to connect to an IDaaS identity provider.

Limits

You can enable a maximum of five identity providers at the same time. Only one custom identity provider can be enabled at a time. If you have reached the maximum number of enabled identity providers, disable an existing one before you enable a new one.

Configure an IDaaS identity provider

Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select IDaaS, and then click Configure.

The configuration process differs for the old and new versions of IDaaS. Follow the steps in the configuration wizard to complete the configuration.

New version of IDaaS configuration process

In the Basic Configurations step, configure the parameters as described in the following table.

Configuration Item	Description
IdP Name	The name of the IDaaS identity provider configuration. The name must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
Description	The description of the configuration. This description appears as the logon title in the SASE client. This helps you identify the identity provider when you log on.
IdP Status	Configure the status for the identity source. The valid values are: Enabled: The identity source is enabled after it is created. Closed: The identity source is disabled after it is created. Important If you disable an identity source, end users cannot use the SASE app to access internal applications. Proceed with caution.
IDaaS Version	Select New Version.
Regional Instance	Select the region where the instance is located. You can select Chinese Mainland or Outside Chinese Mainland.
SAML Metadata File	Upload the SAML metadata configuration file. This file is automatically generated by IDaaS when you create an Alibaba Cloud SASE application on the Single Sign-on tab.
Grant Read Permissions on Organizational Structure	Grant permission to read the department structure as needed. Valid values: Yes: Enter the API information for IDaaS to obtain the list of corporate directory structures. You must set the following fields: Instance ID: The ID of the new EIAM instance. Application ID: The ID of the Alibaba Cloud SASE application that you added to the new EIAM instance. client_id: The ID for API authentication. This is automatically generated by IDaaS when you create an Alibaba Cloud SASE application on the General Configurations tab. client_secret: The key for API authentication. This is automatically generated by IDaaS when you create an Alibaba Cloud SASE application on the General Configurations tab. Public Key Endpoint: This is automatically generated by IDaaS when you create an Alibaba Cloud SASE application on the Account Synchronization tab. URL for Receiving Synchronization Requests: Copy this address from the SASE console and paste it into the synchronization reception address field in the IDaaS console. Encryption/Decryption Key: This is automatically generated by IDaaS when you create an Alibaba Cloud SASE application on the Account Synchronization tab. Note After configuration, you can issue security policies in batches based on the directory list. The system does not read your employee information when issuing security policies. Automatic Synchronization: If you enable Automatic Synchronization, the system automatically synchronizes information from IDaaS based on the synchronous mode. If you do not enable Automatic Synchronization, you must manually synchronize the organizational structure. For more information, see View synchronization records. Synchronize User Information: After you enable the Synchronize User Information switch, the system automatically syncs employee information from WeCom based on the Automatic Synchronization Cycle. Note If Automatic Synchronization is disabled, the Synchronize User Information feature does not run. Automatic Synchronization Cycle: Set the Automatic Synchronization Cycle. You can set the automatic synchronization to run every 1 to 24 hours. No: Does not grant permission to read the department structure.
LOGO	Upload a custom LOGO.

If you set Grant Read Permissions on Organizational Structure to No, click Confirm to complete the configuration.
If you select Yes, you can click Connectivity Test. After the test is successful, click Next.

In the Synchronization Settings step, configure the synchronization scope and field mapping for the organizational structure, and then click Confirm.

Configuration Item

Description

Organizational Structure Synchronization

Configure the scope for synchronizing the organizational structure.

Synchronize All: Synchronizes the entire organizational structure from the new version of IDaaS to the SASE system.
Partially Synchronize: Select the organizational structures to synchronize.

Field Synchronization Mapping

Configure the mapping between IDaaS organizational structure fields and SASE synchronization fields.

Note

If the built-in Local Field After Mapping in the SASE system does not meet your business needs, click View Extended Fields in the upper-right corner of the list. In the View Extended Fields panel, you can add, edit, or delete extension fields.

Old version of IDaaS configuration process

In the Basic Configurations step, configure the parameters as described in the following table.

Configuration Item	Description
IdP Name	The name of the IDaaS configuration. The name must be 2 to 100 characters in length and can contain Chinese characters, letters, digits, hyphens (-), and underscores (_).
Description	The description of the configuration. This description appears as the logon title in the SASE client. This helps you identify the identity provider when you log on.
IdP Status	Configure the status for the identity source. The valid values are: Enabled: The identity source is enabled after it is created. Closed: The identity source is disabled after it is created. Important If you disable an identity source, end users cannot use the SASE app to access internal applications. Proceed with caution.
IDaaS Version	Select Old Version.
SAML Metadata File	Upload the SAML metadata configuration file. This file is automatically generated by IDaaS when you create the application details (SAML).
Grant Read Permissions on Organizational Structure	Grant permission to read the department structure as needed. Valid values: Yes: Enter the API information for IDaaS to obtain the list of corporate directory structures. You must set API Key and API Secret, and configure automatic synchronization features. Note After configuration, you can issue security policies in batches based on the directory list. The system does not read your employee information when issuing security policies. Automatic Synchronization: If you enable Automatic Synchronization, the system automatically synchronizes information from IDaaS based on the synchronous mode. If you do not enable Automatic Synchronization, you must manually synchronize the organizational structure. For more information, see View synchronization records. Synchronize User Information: After you turn on the Synchronize User Information switch, the system automatically syncs employee information from WeCom according to the Automatic Synchronization Cycle. Note If Automatic Synchronization is disabled, the Synchronize User Information feature does not run. Automatic Synchronization Cycle: Set the Automatic Synchronization Cycle. You can set the automatic synchronization to run every 1 to 24 hours. No: Does not grant permission to read the department structure.
SP Entity ID	The entity ID of the business system. Static field: https://saml-csas.aliyuncs.com/saml/metadata.
SP ACS URL	The address where the business system accepts SAML requests. Static field: https://saml-csas.aliyuncs.com/saml/acs.
LOGO	Upload a custom LOGO.

If you set Grant Read Permissions on Organizational Structure to No, click Confirm to complete the configuration.
If you select Yes, you can click Connectivity Test. After the test is successful, click Confirm to complete the configuration.

View synchronization records

If you select Grant Read Permissions on Organizational Structure and enable automatic synchronization when you configure the identity provider, you can view the synchronization records after the automatic synchronization is complete.

On the Identity synchronization tab, find the desired identity source and click Synchronize Records in the Actions column.
On the Synchronize Records page, you can view the synchronization records for the identity source.
In the Synchronization Task area on the left side of the page, click a specific sync task to view its synchronization information in the list on the right.
Click Details in the Actions column for a specific task to view the field information of the Third-party Data Source and the SASE Data Source for that synchronization.

Manual synchronization

If you did not enable Automatic Synchronization when you configured the identity source, or if the structure of your identity source has changed, you must manually synchronize the information. To do this, click Create Synchronization Task and then click OK. Wait for the sync task to complete successfully before you view the synchronization records.

Note

After the synchronization is successful, you can view the synchronized organizational structure and employee information on the Identity Authentication > Identity Access > Employee Center tab. For more information, see Employee Center.

Disable automatic synchronization

On the Identity synchronization page, find the desired identity source and turn off the switch in the Automatic Synchronization column.
In the Edit IdP panel, turn off the automatic synchronization switch.

Edit an IDaaS identity provider

On the Identity synchronization tab, find the IDaaS identity provider that you want to edit and click Edit in the Actions column.

Disable an IDaaS identity provider

On the Identity synchronization tab, find the IDaaS identity provider that you want to disable and turn off the switch in the IdP Status column.

Delete an IDaaS identity provider

On the Identity synchronization tab, find the IDaaS identity provider that you want to delete and click Delete in the Actions column.

References

Configure an SASE identity provider

If your company does not use any identity provider, you can use the custom identity provider provided by SASE to build an organizational structure. For more information, see Configure a SASE identity provider.

Connect to a third-party identity provider

If your company already uses an identity provider such as LDAP, DingTalk, WeCom, Lark, or IDaaS to manage its organizational structure, you can connect the identity provider to SASE.

Configure user groups

To create user groups outside the corporate organizational structure, see User group management.