About Identity Management

When using and Issuetrak, system administrators can choose how to authenticate their users based on multiple criteria and needs of their organization. To facilitate this Issuetrak offers four different methods to authenticate users and allow for user login, grouped into two types of login.


 

Issuetrak Authentication

Issuetrak has a native method to store and maintain passwords for a user profile, and if an account is set to Issuetrak then this method will be used.

  • Self-Help Password Reset can be enabled (if desired) to allow users to reset their own passwords if there are any problems.
  • Usable by companies who do not have, or do not wish to use, an active AD infrastructure, or have users who are not a part of the company domain log into the Issuetrak site.
  • Two-factor Authentication is not available for Issuetrak authenticated accounts.

 

Active Directory Authentication

There are several Active Directory authentication methods available to allow users to log in via LDAP, Active Directory Federation Services, or Azure AD. Passwords for these accounts are not stored within Issuetrak and will require additional configuration in order to allow user login.

Some notes about these methods:

  • Only mapped groups or OUs in the Identity Management section of Issuetrak will have users that can log in or be updated on login.
  • Additional security for your Issuetrak site as the accounts are maintained in the Active Directory environment.
  • AD Federation Services and Azure AD allow for two-factor authentication if it is enabled and configured in the Active Directory environment.
  • Only Active Directory LDAP connection allows for bulk import of users. AD Federation Services and Azure AD will create and update accounts as users log in.

You can review the table below for a comparison between the different AD authentication method features.


 

Comparison: AD vs AD Federation Services vs Azure AD

Here is a comparison between the three AD authentication methods with respect to Issuetrak.

Capability Active Directory AD Federation Services Azure AD Integration
Uses LDAP Yes No No
Uses OAUTH No Yes Yes
Can bulk import users Yes, via LDAP No No
Supports Multifactor Authentication (MFA) No Yes Yes
Needs service account Yes No No
Single Sign-On Yes, for On-Premises only Yes Yes
Can map AD user attributes to Issuetrak user account UDFs Yes, but limited to only certain attributes Yes, can map any claim to any user text UDF Yes, can map any claim to any user text UDF
Secures Domain-Disabled User Accounts Yes, inactivates user account Yes, prevents sign-in Yes, prevents sign-in
User Mappings Based On... AD OU or Group AD FS Claim AD FS Claim


 

Notes on Authentication Changes

Warning: If you are changing authentication types for your users, you MUST perform a migration, or account duplication will occur. If account duplication occurs, accounts must either be merged manually by an administrator or you can speak to our Data Services Team to help with an account merge.

Migration Path Availability Steps
Issuetrak AuthAD Yes Follow these steps
ADAzure Yes Follow these steps
ADAD FS Yes Follow these steps
AD FSAzure AD Possible Via AD FSADAzure*
Azure ADAD FS No Not recommended

* If you are migrating from AD Federation Services to Azure AD, it is recommended to Roll back to AD from AD Federation Services prior to migrating to Azure AD to make sure all account information is synchronized and ready to move to Azure AD. Failure to do this will result in account duplication.

  • If you are changing from Issuetrak Authentication type to AD FS or Azure Authentication, there will be account duplication requiring manual merges. It is recommended to always perform migrations from AD LDAP to your new authentication method if at all possible.
  • If your procedures have you move a user account to a different Group/OU when the account is disabled, map the disabled account Group/OU so the changes are updated in Issuetrak.
  • Self-Help Password Reset cannot be enabled for Active Directory authenticated accounts. Password resets will follow your Active Directory procedures to reset the user account.