BabelBirdBabelBird Docs

Third-Party SSO Login

BabelBird private deployment can connect to Enterprise WeChat, DingTalk, Feishu, OA, ADFS and other identity systems for single sign-on, QR-code login, mobile authorization login and organization synchronization. SSO is not a single interface; it consists of third-party authorization login and third-party organization synchronization.

Login And Organization Sync

Multiple authorization login sources can be configured, such as Enterprise WeChat QR login, DingTalk QR login and OA account login at the same time. Organization synchronization should normally use one authoritative source to avoid account conflicts caused by multiple systems writing members and departments. Login sources should share a consistent unique user identifier.

Enterprise WeChat

Enterprise WeChat integration usually requires the enterprise CorpId, internal application AgentId, Secret, trusted domain, OAuth callback URL, authorization login settings, and mobile Bundle ID, Android signature and package name.

Enterprise WeChat CorpId
The Enterprise WeChat admin console provides the CorpId for BabelBird configuration.
Enterprise WeChat app information
After creating an internal app, obtain its AgentId and Secret.

Core configuration:

  1. Create an internal Enterprise WeChat app and obtain CorpId, AgentId and Secret.
  2. Configure the workbench app home page and replace appid and the private deployment domain in the OAuth URL.
  3. Configure the trusted domain under Web Authorization and JS-SDK and complete domain verification.
  4. Configure the Web callback domain under Enterprise WeChat authorization login.
  5. Configure iOS Bundle ID, Android app signature, package name and schema where mobile login is required.
Enterprise WeChat authorization login
Authorization login requires Web, iOS and Android authorization settings.

DingTalk

DingTalk integration normally includes an H5 micro-app and QR-code login. The H5 micro-app is used to access BabelBird from the DingTalk workbench; QR-code login is used for browser authorization.

Create DingTalk H5 micro-app
Create an H5 micro-app under enterprise internal development in the DingTalk open platform.

Configuration points:

  • Log in to DingTalk admin and open platforms as an administrator.
  • Create an enterprise H5 micro-app and set the app home URL to the BabelBird private deployment address.
  • The server outbound IP must match the deployment environment; otherwise some DingTalk APIs may not work.
  • Enable enterprise address book permissions to connect accounts and organization structure.
  • Obtain CorpId, AppKey and AppSecret and provide them for BabelBird configuration.
  • For QR-code login, create a scan-login authorization app under Mobile App Access > Login and obtain appId and appSecret.
DingTalk API permissions
DingTalk apps need address book permissions to connect organization and account data.
DingTalk AppKey and AppSecret
The application details page provides AppKey and AppSecret.

Feishu

Feishu integration usually requires creating an enterprise custom app, obtaining APP ID and APP Secret, and configuring web entry, OAuth redirect URL, mobile login, security settings, IP whitelist, H5 trusted domain and address book permissions.

Create Feishu enterprise app
Create an enterprise custom app in the Feishu admin console as the identity entry for BabelBird.
Feishu credentials
APP ID and APP Secret in Feishu credentials are used in BabelBird configuration.

Key steps:

  1. Create an enterprise custom app and obtain credentials.
  2. Configure web entry and OAuth redirect URLs using the enterprise's BabelBird domain.
  3. Enable bot capability and message permissions if notifications are required.
  4. Configure iOS Bundle ID and Android app information for mobile authorization login.
  5. Configure redirect URL, IP whitelist and H5 trusted domain in security settings.
  6. Enable required permissions for departments, users, phone numbers, email and messaging.
  7. Create a version, submit it for review and publish the app.
Feishu security settings
Feishu security settings include redirect URL, IP whitelist and H5 trusted domain.

Deployment Checklist

Check Description
Dedicated domain Confirm http/https, domain and callback URL are exactly aligned
Unique user identifier Multiple login sources should share a consistent userId, mobile, email or employee-number mapping
Organization sync source Usually use only one organization source to avoid member and department conflicts
Callback URL OAuth callbacks must match both third-party console and BabelBird configuration
Mobile information iOS Bundle ID, Android package name and signature must match the actual app
Permission scope Request only permissions needed for login, address book sync and notifications
Audit and security Test login, offboarding, department changes, permission inheritance and logs after integration

Relationship With Permissions

Third-party SSO answers “who the user is, how the user logs in, and where organization data comes from”. File permissions are still controlled by BabelBird enterprise roles, department roles, project permissions, file access control, sharing permissions and security policies.

BabelBird capabilities may change by product version, licensed modules and deployment configuration; actual availability depends on the deployed environment and administrator settings.