Building org-level apps

Hi, we have a SAAS product and we’d like to create an app that can be installed per atlassian organization (and not request authorization for each user).

To elaborate a bit more, in our product (SAAS), each account is associated with an organization and has multiple users. We’d like to enable a Jira integration where the organization can connect to its Jira workspace so that issues could be created from our product using REST API.

Is this at all possible? with any of the options to build apps? (Forge, Connect, OAuth 2.0 (3LO) app)?

Just to be clear, my meaning is to perform the authorization process only once for the first (Admin) user and make the app and functionality available for all users in the organization.

Your help is much appreciated!


Hey @NatashaCherniavsky that’s a great question.

My understanding of the setup you’ve mentioned is:

  • Interactions are to be driven from the SaaS product (not from Jira)
  • Ideally, you want the admin to link your product with Jira and have it work for everyone. You say “Atlassian organization” but hopefully “Jira site” will do, because Atlassian can’t offer a one-shot installation across multiple products and sites organised under what you are calling an “Organization”

Now, in terms of possible solutions, Forge seems to have a way forward.

  1. In your SaaS product, show a link to the “direct distribution” Forge installation URL. Admin can go there and install on the relevant site(s).
  2. The admin can then go to an admin page (looks like post-install pages and config pages aren’t available yet) on the site, where a web trigger URL is displayed, which they copy to the clipboard.
  3. Back in the saas product, they paste the web trigger URL in, and from that point onwards, the SaaS product can use that to initiate actions in Jira

Using providers is another way to attempt this, but would only work for actions initiated from the Jira, not from your SaaS app’s side.

Using 3LO would require every individual user to consent.

Good luck and happy to chat further or pull in other teams to help you if you have follow-up questions!

1 Like

Hey @SreejaGupta thank you very much for your reply!

I started experimenting with the Forge platform. Could you please elaborate a bit more about the web trigger URL option and the flow in general?

If I understand correctly, our SaaS product will have to save this URL (such that it is associated to the admin), and every time we want to invoke an action in Jira, use that very same URL?

Thanks again for your help!

1 Like

Also, I’m not sure I understand where I can find this web trigger URL…could you point me to it?

Your help is highly appreciated!

1 Like

@NatashaCherniavsky apologies for the delay, let me see if I can collect this information today for you. I’ll try loop in a developer from the Forge team to give you some detailed help.

1 Like

Thanks! looking forward to any extra information, and specifically, where can the admin find this webtrigger url.

1 Like

Thanks for your patience @NatashaCherniavsky hopefully get back to you soon with a good point of contact since this is not really my in my domain of expertise (beyond what I was able to share above)

1 Like

Hey @NatashaCherniavsky I had some internal discussions on possible solutions for your use case. It seems to the team after reviewing all possible app types and tradeoffs involved that the best option for you is to build a Connect app, since it is the only platform that fully supports the delegated auth model that you are discussing here. Relevant docs are in here: User impersonation for Connect apps

Hope this helps and good luck!