Hello Everyone,
TL;DR
Longer version
I have some doubts about our migration from Jira service desk on prem to Jira service desk in the cloud.
We used to have (in Jira on prem) our customers account registered via our solution, that was connecting to service desk via rest API. Customers account were organized according to organization that they were attached. In our case, one organization most often has more than one customer account attached, and it was convenient that they can see “organization” history.
When moving to cloud we would like to change way of handling user. We would like to keep them in our Keycloak and only enable SSO for them when logging in to service desk. However, we would like to keep structure of how they are organized in service desk.
After reading manuals and forum, we managed to enable “portal only” login for customers. However, those customers are missing information about organization that they should belong to.
On the other hand, we have tried to configure SSO with an identity provider, but we have encountered some problems (see questions on the top)
Organizations within JSM have nothing to do with the Atlassian Org or SSO.
Organizations are merely there to organize your customers (portal-only users and possibly others) and give them access to requests (share with organization).
When you configure SSO (you will need Atlassian Access) for that, you can create different policies and attach user groups to them. So you could have different policies for your internal and your external users. Are both your internal and external users (portal only) managed in the same keycloak / directory?
You can have users from different domains. The verified domain is there for claiming all Atlassian users with that domain (optional) and things like security settings, Email-config... So you would only verify your "own" domain.
For users from other domains it might be the case, that they are already managed within a different Atlassian Org. Therefore they might have already some Login policies enforced and would always fall under the policy of their own org before yours.
As you can see: there is no easy answer and it really depends on your whole setup, which I still haven't completely understood
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.