About Identity Management

When using and configuring Issuetrak, administrators can choose how their users can authenticate based on multiple criteria and the needs of their organization. To facilitate this, Issuetrak supports multiple authentication methods.

There are two distinct types of authentication:

  • Issuetrak authentication, which relies entirely on Issuetrak's database to store user credentials
  • Third-party identity management, which is an integration that allows authentication via a broad spectrum of different third-party identity providers in order to sign into Issuetrak.

Issuetrak Authentication

Issuetrak has a native method to store and maintain passwords for a user profile, and if an account is set to Issuetrak then this method will be used.

  • Self-Help Password Reset can be enabled (if desired) to allow users to reset their own passwords if there are any problems.
  • Usable by companies who do not have, or do not wish to use, an active AD infrastructure, or have users who are not a part of the company domain log into the Issuetrak site.
  • Multi-Factor Authentication is available for Issuetrak authenticated accounts.

Third Party Identity Management Authentication

There are several authentication methods available to allow users to log in via LDAP, Active Directory Federation Services, Azure AD, or OAuth 2.0 / OIDC. Passwords for these accounts are not stored within Issuetrak and will require additional configuration in order to allow user login.

Some notes about these methods:

  • Only mapped groups or OUs in the Identity Management section of Issuetrak will have users that can log in or be updated on login.
  • Additional security for your Issuetrak site as the accounts are maintained in the Active Directory environment.
  • AD Federation Services and Azure AD allow for two-factor authentication if it is enabled and configured in the Active Directory environment.
  • AD Federation Services and Azure AD allow for the use of CAC Card/Smart Cards if they are configured for the AD environment.  Active Directory (LDAP) can also use CAC Cards/Smart Cards if the site is configured as an on-premises installation and SSO is enabled for the site.
  • Only Active Directory LDAP connection allows for bulk import of users. AD Federation Services and Azure AD will create and update accounts as users log in.

You can review the table below for a comparison between the different AD authentication method features.

Comparison of Third-Party Authentication Methods

Here is a comparison between the four third-party authentication methods with respect to Issuetrak.

Capability Active Directory AD Federation Services Azure AD Integration OAuth 2.0 / OIDC
Uses LDAP Yes No No No
Uses OAUTH No Yes Yes Yes
Can bulk import users Yes, via LDAP Yes, via LDAP No No
Supports Multifactor Authentication (MFA) No Yes Yes Yes
Needs service account Yes No No No
Single Sign-On Yes, for on-premises only Yes Yes Yes
Can map directory user attributes to Issuetrak user account UDFs Yes, but limited to only certain attributes Yes, can map any claim to any user text UDF Yes, can map any claim to any user text UDF Yes, can map any claim to any user text UDF
Secures Domain-Disabled User Accounts Yes, inactivates user account Yes, prevents sign-in Yes, prevents sign-in Yes, prevents sign-in
User Mappings Based On... OU or Group Claim Claim Claim

Notes on Authentication Changes

Warning: If you are changing authentication types for your users, you MUST perform a migration, or account duplication will occur. If account duplication occurs, accounts must either be merged manually by an administrator or you can speak to our Data Services Team to help with an account merge.

Migration Path Availability Steps
Issuetrak AuthAD Yes Follow these steps
ADAzure Yes Follow these steps
ADAD FS Yes Follow these steps
AD FSAzure AD Possible Via AD FSADAzure*
Azure ADAD FS No Not recommended

* If you are migrating from AD Federation Services to Azure AD, it is recommended to Roll back to AD from AD Federation Services prior to migrating to Azure AD to make sure all account information is synchronized and ready to move to Azure AD. Failure to do this will result in account duplication.

  • If you are changing from Issuetrak Authentication to AD (LDAP) the accounts will automatically be changed to LDAP login if the UserID and email address for the Issuetrak account match the account in AD being imported. Imports can be performed on login, manually, or through Scheduled Imports.
  • If you are changing from Issuetrak Authentication type to AD FS or Azure Authentication, there will be account duplication requiring manual merges. It is recommended to always perform migrations from AD LDAP to your new authentication method if at all possible.
  • If your procedures have you move a user account to a different Group/OU when the account is disabled, map the disabled account Group/OU so the changes are updated in Issuetrak.
  • Self-Help Password Reset cannot be enabled for Active Directory authenticated accounts. Password resets will follow your Active Directory procedures to reset the user account.