Migrating to AD Federation Services

This article provides steps for migrating a site with AD/LDAP-authenticated users to AD Federation Services.  If you don't have AD configured but would like to configure AD FS, please see this article.

At a high level, the following things happen as a result of a migration:

1. The old domain value is validated against the new domain value to ensure that they match.
2. AD/LDAP is deactivated.
3. ADFS/Azure is set as the Authentication Type for all previously AD/LDAP-authenticated users.
4. The following fields are populated for each user account:
   1. Authentication Type: ADFS/Azure
   2. Active Directory User SID
   3. Domain
5. The mappings from Active Directory are transferred to AD Federation Services.
   1. Any "Map Additional Attributes" are also mapped to the "User Property Mapping".

Part 1: Perform an Active Directory User Import

This step ensures that AD-authenticated users in Issuetrak have the appropriate properties set for SID, Domain, and Authentication Type. Failure to perform this step could result in duplicate user creation when users sign into Issuetrak.

Steps:

1. Click the gear icon in the upper right > Click on Active Directory beneath Identity Management > Click on Import Users from the righthand menu.
2. Select the Domain from the dropdown for which this particular import should be performed from the list.
3. Click the radio button to select either AD Group or AD OU. Click the button related to your selection. Only AD Groups or OUs with verified Organization and Permissions mappings and valid users will appear.
4. Select the appropriate value in the window that appears.
5. Click the Preview Import button.
6. Verify the import is being returned properly in the Preview import window that appears.
7. Close the Preview Import window.
8. Click the Process Import button to process this import.
9. Repeat the import process for as many OU/Groups as necessary to account for your AD environment and ensure all of your users will be able to authenticate.

Part 2: Preparing the AD FS Server

Please see this article for steps to configure your AD FS server to work with Issuetrak.

Part 3: Complete the Migration

With the information gathered from preparing AD FS, we can migrate to AD Federation Services in Issuetrak.

Steps:

1. Navigate to your Issuetrak site and log in with a Sys Admin account.
2. Click the gear icon in the upper right > Click on AD Federation Services beneath Identity Management.
3. Choose Migrate to AD FS from the Right Context Menu.
4. Check the box next to "Perform an Active Directory user import".
5. Check the box next to "Setup AD Federation Services Server (Guide)".
6. Populate the following data:
   1. Provider Name: A friendly name for the AD FS server.
   2. Domain: The Domain of the AD FS server. Ensure this matches the domain currently in your Issuetrak instance's AD settings.
   3. Provider URL: The URL to the AD FS server.
   4. Client ID: The Client Identifier from setting up AD FS.
   5. Client Secret: The shared secret from setting up AD FS.
   6. Button Label: The name of the button to display on the Issuetrak Login page.
7. Double-check the values you've entered and confirm that you are ready to migrate to AD FS. Click Migrate Server Settings to save the settings. This will move all AD settings and user mappings to AD FS.
8. Click Perform Migration to finalize the process.
9. You will be redirected to the Edit AD Federation Services Provider page.
   1. Optional: Click the Test Connection button to verify all the settings. This button launches a new browser tab to your AD FS provider's authentication page. It is necessary to sign in with an Active Directory account to view the Test Connection results.
10. Optional: Customize the appearance of this identity provider's button on the login screen by using the fields on the right-hand side.