Organization Mapping in JSM SSO App

Business Challenge

Managing user access to Jira Service Management (JSM) projects at scale presents a significant challenge for administrators, especially in large enterprises where users span multiple departments, domains, and Identity Provider (IDP) groups.

Manual assignment and removal of users from Jira organizations is time-consuming, error-prone, and difficult to maintain as teams evolve or grow.

Without an automated solution, organizations face:

• Inaccurate user-to-organization mappings, leading to improper access control.
• Increased administrative overhead in maintaining user associations.
• Inefficiencies in onboarding/offboarding workflows.

There is a clear need for an automated, flexible, and scalable way to manage organization assignments during SSO to ensure users are always mapped correctly based on IDP attributes or domains—without requiring manual intervention.

Solution Overview

The Organization Mapping feature in the SAML/OAuth SSO for JSM Customers app allows administrators to seamlessly map users to Jira organizations based on their IDP groups and email domains. This automation ensures efficient user access management by dynamically assigning or removing users from Jira organizations during Single Sign-On (SSO).

Use Cases

1. Domain-Based Organization Mapping

Admins can configure the domain-based mapping feature to automatically assign users to Jira organizations based on their email domains.

Example:

• A user with xyz.com email trying to login to the customer portal via SSO. If xyz.com is mapped to the XYZ organization, the user will be automatically added to the XYZ Jira organization after successful SSO.
• If another user with abc.com (who was previously in XYZ organization) logs in, they will be removed from the XYZ organization, ensuring accurate mapping.

This ensures users from a specific domain are always associated with the correct Jira organization.

2: IDP Group-Based Organization Mapping

Users can be mapped to Jira organizations based on their Identity Provider (IDP) group.

• An admin maps the "Developers" Jira organization to the "software-engineers" IDP group.
• When users from the "software-engineers" group log in, they will be automatically added to the "Developers" Jira organization.
• If a user was previously in the "Developers" Jira organization but is not in the "software-engineers" IDP group, they will be removed from the Jira organization after SSO.

This mapping helps in automating role-based access and keeps user organizations in sync with their IDP groups.

3: CSV Import for Bulk Organization Mapping

To simplify configuration, admins can import organization mappings via CSV file instead of manually setting them up.

Feature Highlights:

• Upload a CSV file containing the existing or new Jira organizations and their corresponding IDP groups/domains.
• Once MFA verification is completed, users gain access to the customer portal.The app processes the CSV and updates the mappings seamlessly. This quality-of-life feature was developed in response to customer requests to reduce manual effort and enhance efficiency, making large-scale organization mapping effortless.

4: Dynamic Organization Creation Based on IDP Attributes (On-the-Fly Mapping)

Some organizations may not have predefined mappings and may want to create Jira organizations dynamically based on the user's Organization IDP attribute.

Feature Highlights:

• If a user's organization attribute contains organizations that match an existing Jira organization, they are automatically assigned to it.
• If the organization does not exist, the app creates it on-the-fly and assigns the user to it after successful SSO.

Example:

• A user trying to login to the portal via SSO, and their IDP attribute contains "TechOps" as their organization.
• If "TechOps" exists in Jira, the user is added to it.
• If not, "TechOps" will be created in Jira, and the user is assigned to it.

This feature is especially useful when admins are not aware of all possible organizations in advance, allowing for flexible and scalable user management.