Restrict Service Desk Portal signup to a specific Domain

Andre Ballensiefen (Balli) April 25, 2018

Hi all, we want to start using Service Desk.

We have ~1600 people in the company. Only the IT Department and a few others have Jira access (300 User License)

The other ~1300 should be able to request help via the customer portal. As we don't want to manage all "Portal only" users manually, we want to use the sign up functionality.

Problem:

Everyone can signup there, which is sth. we don't want at all. So we want to restrict the signup to a specific email domain.

The general functionality is in the Jira admin section (Site Settings -> Self Signup)

2018-04-25_18-00-44.jpeg

 

But this doesn't affect the Customer Portal signup.

Does someone have an idea how to manage that ?

 

Thanks in advance!

Best, Andre

 

4 answers

1 accepted

3 votes
Answer accepted
Patrick S
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 29, 2018

I recently fought a very similar problem, and was able to solve it with the Script Runner and the Script Listeners. I've posted both the script I used to block a domain that was spamming us.  I've also modified and tested the script to show how you can accomplish your goal of only allowing a certain domain.

  1. After installing go to Admin Cog > Add-Ons > SCRIPTRUNNER category in left panel > Script Listeners
    1. https://yourServiceDesk/plugins/servlet/scriptrunner/admin/listeners
  2. Click Add New Item > Custom Listener
  3. Set Events to monitor UserCreatedEvent
  4. To block a certain domain
    1. import com.atlassian.jira.user.ApplicationUser
      import com.atlassian.crowd.model.user.User
      import com.atlassian.crowd.event.user.UserCreatedEvent
      import com.atlassian.jira.component.ComponentAccessor
      import com.atlassian.jira.bc.user.UserService

      // Catch the UserCreatedEvent and get the User
      def newUserEvent = event as UserCreatedEvent;
      User newUser = newUserEvent.getUser();
      String email = newUser.getEmailAddress();

      // Define the domain you want to block
      String spamDomain = "@spam.xyz";

      if (email.toUpperCase().endsWith(spamDomain.toUpperCase())){

      log.error "SPAMBOT DETECTED! " + email;

      def userService = ComponentAccessor.getComponent(UserService)
      def userManager = ComponentAccessor.getUserManager();

      // Set the user account we want to run delete permissions with
      ApplicationUser runAsUser = userManager.getUserByKey("yourJiraAdminAccount")

      // validate permissions
      final UserService.DeleteUserValidationResult result = userService.validateDeleteUser(runAsUser, email)
      if (result.isValid()) {
      log.error "SPAMBOT REMOVAL VALID - $email"
      userService.removeUser(runAsUser, result)
      log.error "SPAMBOT REMOVAL SUCCESSFUL - $email"
      }
      else
      {
      log.error "REMOVAL INVALID - $email"
      }

      }
  5. To only allow a certain domain
    1. import com.atlassian.jira.user.ApplicationUser
      import com.atlassian.crowd.model.user.User
      import com.atlassian.crowd.event.user.UserCreatedEvent
      import com.atlassian.jira.component.ComponentAccessor
      import com.atlassian.jira.bc.user.UserService

      // Catch the UserCreatedEvent and get the User
      def newUserEvent = event as UserCreatedEvent;
      User newUser = newUserEvent.getUser();
      String email = newUser.getEmailAddress();

      // Define the domain you want to allow
      String allowedDomain = "@safeDomain.com";

      if (!email.toUpperCase().endsWith(allowedDomain.toUpperCase())) {

      log.error "EXTERNAL ATTEMPT DETECTED! " + email;

      def userService = ComponentAccessor.getComponent(UserService)
      def userManager = ComponentAccessor.getUserManager();

      // Set the user account we want to run delete permissions with
      ApplicationUser runAsUser = userManager.getUserByKey("yourJiraAdminAccount")

      // validate permissions
      final UserService.DeleteUserValidationResult result = userService.validateDeleteUser(runAsUser, email)
      if (result.isValid()) {
      log.error "EXTERNAL ATTEMPT REMOVAL VALID - $email"
      userService.removeUser(runAsUser, result)
      log.error "EXTERNAL ATTEMPT REMOVAL SUCCESSFUL - $email"
      }
      else
      {
      log.error "EXTERNAL ATTEMPT REMOVAL INVALID - $email"
      }

      }
Santhosh ESS June 10, 2019

Hi Patrick,

This script works fine. But, it is not showing any warning/ error message on screen if any user tries to sign up other than the allowed domains. Could you please help us to add that message in the script.

Patrick S
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 10, 2019

Santosh,

I wish I could be of more assistance, but I have not looked into how to pass feedback to the browser. Since my use case was blocking spam, I actually didn't want any feedback given.

Good luck,

Patrick

Santhosh ESS June 10, 2019

Patcrick,

This helps. But, what if user sign up with the expected domain and a fake email id. Like, falsemailid@SafeDomain.com

Is there any way we can have a verification for this?

Thanks.

Patrick S
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 10, 2019

Santhosh,

To accomplish that there would need to be a way to validate the email address with an API (there are several available, I've never used any), and then integrate that with the GroovyScript (there's probably a way) to give feedback.

Because the domain is trusted / configured in the script, you would have to rely on something external to JIRA to validate the address is truly a real email. The exception to that is if you have a full list of valid email addressses available to JIRA (via something like LDAP integration, SQL Server view, etc).

2 votes
Chris P. April 24, 2019

+1 vote.  We need this flexibility, as we are providing support via JSD to 3 large companies that are competitors of each other, and the TIME it takes to allow 1 user at a time per JSD project is crippling.

If we could allow access to JSD portal by group / domain name i..e. @companyname1.com vs @Test Company_name_2.com > this would make much more sense.

0 votes
AR March 31, 2020

A feature requested was created to add Blacklist/Whitelist customer sign-up functional to Jira Service Desk. If you're interested please vote for it here: https://jira.atlassian.com/browse/JRASERVER-70841

Thanks.

David Peña November 5, 2020

seems there are already tickets submitted for this a long time ago..  probably worth to vote on these too!

For cloud: https://jira.atlassian.com/browse/JSDCLOUD-868

For server: https://jira.atlassian.com/browse/JSDSERVER-868

0 votes
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 25, 2018

Unless something has changed, for which i would be pleasantly surprised, this is not possible. The best thing to do is to add the customers manually. If you can generate a CSV of the users emails you can copy and paste into the "add customers" input area.

Andre Ballensiefen (Balli) April 26, 2018

Hi Jack,

 

thanks for the quick Answer!

Do you know if we connect our Jira via SAML (s. Picture) if this would have an effect for the service portal signup ?

 

2018-04-26_14-07-54.jpeg

 

 

Thanks in advance!

Best, Andre

M Amine
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 19, 2018

any feedback on using SAML ? Does it solve your problem ?

kind regards

Andrew Hatch November 30, 2018

SAML works for the domain users, which is great. But still allows non-domain users to log in.

This seems like a pretty simple request for Atlassian: just a whitelist for new accounts and trigger an error if they don't match a domain. I 

Like # people like this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events