Securing External Customer Access in JSM After Migrating to Cloud

As Atlassian Data Center approaches its end of support, many teams running JSM (Jira Service Management) are preparing their migration to Cloud. For organizations that rely heavily on JSM for serving external customers, vendors, partners, or clients, this transition brings unique challenges not just in data migration, but in preserving the security and access controls that have been built over the years on Data Center.

On Data Center, teams are accustomed to complete control: tightly managed customer portal permissions, automated user creation via IdP, custom group structures, and consistent SSO flows across customer-facing portals. But Atlassian Cloud handles authentication differently, and recreating this fine-grained setup often leaves teams uncertain about what’s possible.

 

The Problem: What JSM Teams Struggle With in Cloud Migration

When customers using Jira Service Management start the move to Cloud, they quickly discover several critical limitations and challenges:

• Implementing multiple IDPs for different customer groups, business units, or external clients typically requires the Enterprise Cloud plan, which can be costly and unnecessary for smaller to mid-level teams. Additionally, native support for OAuth protocol is not included.
  
  
• Automatically mapping external users to JSM Organizations based on domains or IdP groups is not available out of the box in Cloud, leading to manual work and customer management.
• Restricting customer portals based on identity attributes becomes difficult, increasing the risk of unauthorized access.
• There is limited ability to map IdP custom attributes to Jira fields, inconsistencies like typos, incorrect values, and missing info can arise, leading to data inaccuracies
• The existing complexity, including duplicate customer accounts, odd group structures, and forgotten permissions, tends to follow teams into the Cloud unless a proper solution is put in place.
  
  

All of this results in one major concern for JSM admins:

“How do we move to Cloud without losing the secure, automated, and controlled customer access model we rely on?”

How Our JSM SSO App Solves These Cloud Migration Challenges

This is where the SAML/OAuth SSO for JSM Customers app becomes essential for teams transitioning from Data Center to Cloud. It reintroduces the security, automation, and fine-grained control JSM admins are used to while embracing security controls.

✔ Enforce SSO for External or Portal-Only Customers

Authenticate external users through their existing IdP (Azure AD, Azure B2C, Keycloak, Okta, ADFS, Google, custom IdPs, etc.) to prevent spam tickets, fake sign-ups, or unauthorized access.

✔ Support for OAuth/OIDC protocols

If your organization has a custom OAuth/OIDC provider or any standard IDP following the OAuth/OIDC protocol you can connect them with our app.

✔ Multiple IdPs Without the Enterprise Cloud Plan

If your organization serves multiple clients each with its own identity provider you can connect them all without needing to upgrade to the Enterprise plan. This is a massive cost saver for many MSPs, agencies, and multi-tenant JSM teams. - Connect Multiple IDP

✔ Auto-Assign Users to JSM Organizations (Domain & Group-Based)

Automatically maps external customers to JSM Organizations using their:

• Email domain, or
  
  
• IdP group
  
  

This eliminates tedious manual assignment and ensures consistent customer segregation across organizations and saves a lot of time for admins. - Organization Mapping

✔ Portal Access Mapping for Tighter Security

Ensure granular control over customer portal access by mapping IDP groups and domains to specific portals. Admins can restrict access based on the following:

• IDP Groups → Customer Portals
  
  
• JSM Organizations → Customer Portals
  
  

This feature restores the granular access control that teams relied on in Data Center, effectively closing any security gaps during Cloud migration - Portal Access Mapping

✔ Maintain a Clean, Controlled Customer Directory in Cloud

By controlling authentication at the IdP level, admins can prevent:

• Duplicate or inactive external accounts
  
  
• Incorrect portal visibility
  
  
• Unnecessary customer clutter in Cloud directory
  
  

This also reduces migration cleanup work significantly.

✔ Unlimited Custom Attributes 

Store any number of business-specific fields in your IdP (e.g., Security_Clearance, Customer_Tier, Vendor_Level) and leverage them inside JSM and automatically Map IdP Attributes → Jira Custom Fields. Admins get: 

• Consistent, clean data: No typos or mismatched entries; values come directly from the IdP.
  
  
• Enterprise-level flexibility: Works across multiple IdPs with fallback attribute logic.
  
  
• Faster ticket creation: Automatically populated fields leads to less effort for users and fewer errors for agents.
  
  

This feature is especially important for JSM teams handling regulated workflows, multi-client servicing, or projects where access level and classification matter.

 

Final Thoughts

Migrating JSM from Data Center to Cloud is not just a technical shift, it’s an operational and security transformation. The biggest challenges aren’t always the data itself, but maintaining secure and automated customer access in Cloud without extra complexity, cost, or manual work.

The SAML/OAuth SSO for JSM Customers app ensures that your Cloud setup mirrors the strong security, automation, and controlled access you enjoyed on Data Center while enabling smoother authentication and better organization mapping for your external customers.

If you’re planning or already undergoing a Cloud migration, this solution bridges the gap and ensures that your JSM portals remain secure, scalable, and aligned with your existing identity infrastructure. Reach out to us from here if you'd like a demo of the same.