Issue Summary

When users are provisioned through a SCIM group and when they are assigned to JSM as customers then approved domain mechanism is not executed for any other product unless the user explicitly logs into the product that they are supposed to gain access to through approved domains.

What's expected is that irregardless of how provisioning grants access to products. If a user does not have access to a product when they try to access any part of the said product, we will authorise the user into the product if approved domains is enabled.

Steps to Reproduce

1. Setup approved domain in User Access Settings in admin hub
2. Set User access for Confluence and Customer access for JSM
3. Provision a user through an IdP group using SCIM. Dont configure any product access for the group.
4. In Product access for the site configure only JSM Customer access for the provisioned group.
5. Login to JSM portal as the provisioned user.
6. Observe in Org audit logs that there is no indication that user was granted access to Confluence through approved domains.
7. As logged in user try to directly access a Confluence page link.
8. Observe that user is not able to access page link because user is not given access to Confluence.

Expected Results

At step # 7 above user should be redirected to login to Confluence and Confluence access should be granted through approved domain config for the user. User should be added to the default product access group for Confluence.

Actual Results

User is not redirected or any approved domain access is triggered. User is shown the message access denied from Confluence.

Workaround

User can login to Confluence on /wiki and then approved domains access will be triggered. If admin approval is required then user will be asked to request access. If not user will be granted access automatically through approved domains.