REWE Group Simplifies Access with Dynamic SSO and Group Provisioning
The REWE Group, one of Germany’s largest retail and tourism cooperatives, wanted to enhance its Atlassian ecosystem by refining user provisioning and group management. Using miniOrange’s OAuth SSO integration, REWE aimed to automate and accurately assign users to multiple groups during Single Sign-On (SSO), without delays or manual intervention.
Through a custom enhancement in the miniOrange OAuth plugin, REWE Group achieved seamless group provisioning across Jira and Confluence, ensuring both precision and performance.
Business Challenge
The REWE Group leveraged miniOrange’s OAuth SSO plugin to manage access across its Atlassian stack, including Jira and Confluence. However, a unique challenge emerged.
Handling Multiple Group Attributes in OAuth Token Response for Accurate User Mapping
- The OAuth token response from their Identity Provider (IDP) included multiple group attributes, each containing a distinct set of user groups.
- The plugin’s default configuration supported only a single group attribute for mapping.
This limitation led to incomplete group assignments and manual corrections, slowing down provisioning and creating inconsistencies across systems. REWE needed a dynamic, automated mechanism to handle multiple attributes and regex-based filtering during user authentication.
miniOrange’s Solution: Intelligent Multi-Attribute Group Mapping
miniOrange conducted a deep technical analysis of REWE’s OAuth response and implemented a custom feature enhancement to the OAuth SSO plugin. This upgrade enabled the mapping of multiple group attributes within the token response.
Here’s how it helped:
- Multi-Attribute Group Mapping: Administrators could now map multiple group attributes, allowing the plugin to retrieve and assign all groups dynamically.
- Regex-Based Filtering: REWE’s requirement for pattern-based filtering was fulfilled by enabling regex rules per group attribute, ensuring only relevant groups were assigned to users.
- Optimized Just-in-Time Provisioning: Even with complex mappings, the new implementation ensured that SSO speed remained unaffected.
This tailor-made solution transformed how REWE Group managed user access, eliminating manual errors and aligning permissions instantly at login.
How It Works
- During SSO, the OAuth token response is received from the IDP.
- The plugin extracts multiple group attributes configured by the admin.
- Regex patterns are applied individually to each attribute, filtering out unwanted groups.
- The plugin automatically assigns the matching groups to the user within Jira or Confluence.
- Just-in-Time provisioning ensures that group assignment happens instantly during login, without delays or additional configuration.
Success Outcomes: Precision, Performance, and Partnership
REWE Group’s collaboration with miniOrange led to significant operational improvements:
- Accurate Group Assignment: Users are now automatically mapped to all correct groups from the OAuth token.
- Time Savings: Admins no longer need to manually review or adjust group memberships.
- Enhanced SSO Performance: The optimized plugin ensures instant authentication with zero delay.
- Consistent Access Across Applications: The same enhancements were extended to Confluence, ensuring uniform functionality across platforms.
About REWE Group
Founded in 1927, the REWE Group is a leading retail and tourism cooperative based in Cologne, Germany. It operates an extensive portfolio of supermarkets, convenience stores, and online platforms across Europe. Committed to innovation, REWE continuously enhances its digital infrastructure to improve efficiency and customer experience.
Through its collaboration with miniOrange, REWE Group successfully streamlined user provisioning and strengthened access management, proving how custom-built SSO solutions can balance scalability, precision, and security.