[Feature] Support resolving the organization of the user at the point of access with email domains for B2B apps

[thanujalk]

Is your feature request related to a problem? Please describe.
When the user is accessing the system, we should be able to identify the organization of the user using the email domain. This is required to identify the organization where the user belongs and to give authority to the respective owner of that business to manage that identity.

Describe the solution you would prefer

We are only considering the sales-led approach and after the mapping is done at the primary organization level, flow should be as follows.

• User comes to the B2B application's home page and clicks login.
• Username input is prompted for the user.
• User enters an email address.
• System identified the user belongs to the respective sub-organization that owns the email domain and redirects the user to the organization login.
• User logins with the organization login and returns to the organization space of the B2B application.
• User registration also needs to be limited to the mapped email domain.

[dewniMW]

The design doc and user stories have been finalized.
Currently working on finalizing the API definition for organization discovery attribute management.

[dewniMW]

Steps to try out the feature:

1. Access the console and create sub organizations.
2. In the super organization console enable email domain discovery config.
3. In the super organization console map email domains to these sub organizations (organizations may or may not have associated email domains.)
4. For sub organizations with mapped email domains create users with the username as email where the email is of one of the mapped organizations of that organization. Note that we only allow to register users with that particular domain. If a sub organization doesn't have a mapped domain, then users can't be created with an email domain that is associated with another organization in the hierarchy. Users can be created with any other email domain that is not taken.
5. Register a B2B app in the super organization and share it with sub organization.
6. Access the B2B organization and sign with organization SSO. (

• If the sub organization has a mapped domain, enter the email username. The user will be redirected to the correct sub organization for authentication.
• If the sub organization doesn't have mapped domains, enter the organization name to continue with the flow)

Important things to note - To try out this feature the username should be email. This will be documented and the console UI will also be improved to display this information in the view provided to enable organization email domain discovery config (pending).

[asekawa]

@dewniMW can you please check into this checklist

• Is the end-to-end (e2e) testing complete?
• Are unit tests available(if not provide the reason)?
• Are integration tests available(if not provide the reason)?
• Has this feature been tested on the latest Jenkins build after merging the changes? (Please Attach Proof, Screenshots, Screen recordings)
• Are all the relevant sub-tasks updated as complete (e.g., Cloud readiness tasks and migrations, docs)?
• Have demo sessions been completed? (If yes, please attach the recording link)
• Does this change impact the on-prem environment only(s this an IS-specific feature) ?
• Are impacted docs updated?

[asekawa]

@dewniMW
tested this feature on the build no 4886(Jenkins build) but could not procced with the complete end-to-end flow as redirecting to a blank page,after giving a sub org specific username(with the configured tenant name)

Screen.Recording.2023-10-27.at.17.19.15.mov

[dewniMW]

@dewniMW tested this feature on the build no 4886(Jenkins build) but could not procced with the complete end-to-end flow as redirecting to a blank page,after giving a sub org specific username(with the configured tenant name)

Screen.Recording.2023-10-27.at.17.19.15.mov

As discussed with @asekawa there is an issue with that particular Jenkins build. Probably due to some dependency issue in another component.

[asekawa]

@dewniMW verified the basic flow under the pack https://drive.google.com/file/d/1e1WrjxJdhEbujc5brM5vdPFwIKBmXQos/view.

Screen.Recording.2023-10-30.at.10.31.58.mov

Given below are the identified issues.
1.#17382
2.#17390

[dewniMW]

@dewniMW can you please check into this checklist

• Is the end-to-end (e2e) testing complete?
• Are unit tests available(if not provide the reason)?
• Are integration tests available(if not provide the reason)?
• Has this feature been tested on the latest Jenkins build after merging the changes? (Please Attach Proof, Screenshots, Screen recordings)
• Are all the relevant sub-tasks updated as complete (e.g., Cloud readiness tasks and migrations, docs)?
• Have demo sessions been completed? (If yes, please attach the recording link)
• Does this change impact the on-prem environment only(s this an IS-specific feature) ?
• Are impacted docs updated?

E2E tests will be captured once the feature is onboarded to cloud.
Unit tests and integration tests are in progress.
The migration issues are tracked with #16879 and #16878
The documentation is tracked with #17396

[Rashmini]

Wireframes of the email domain discovery feature in the console:

This was added as a new page in the console since the current organizations page only lists the immediate next level organizations. Here, we should be able to map email domains to all the organizations below the current level.

Organization list with email domain mappings:
We have not added email domain deletion here, since it gives an impression similar to deleting the organization. Further, since deleting mapped email domains is a critical decision, we can navigate to a particular organization and remove the email domains from the edit view.

Assign email domains to an organization:

Update email domains of an organization:

[dewniMW]

Closing this issue as the overall functionality has been delivered with IS 7.0.0 alpha release. The rest of the improvements/tasks will be tracked with separate issues.