When using and configuring Issuetrak, administrators can choose how their users can authenticate based on multiple criteria and the needs of their organization. To facilitate this, Issuetrak supports multiple authentication methods.
There are two distinct types of authentication:
- Issuetrak authentication, which relies entirely on Issuetrak's database to store user credentials
- Third-party identity management, which is an integration that allows authentication via a broad spectrum of different third-party identity providers in order to sign into Issuetrak.
Issuetrak has a native method to store and maintain passwords for a user profile, and if an account is set to Issuetrak then this method will be used.
- Self-Help Password Reset can be enabled (if desired) to allow users to reset their own passwords if there are any problems.
- Usable by companies who do not have, or do not wish to use, an active AD infrastructure, or have users who are not a part of the company domain log into the Issuetrak site.
- Multi-Factor Authentication is available for Issuetrak authenticated accounts.
Third Party Identity Management Authentication
There are several authentication methods available to allow users to log in via LDAP, Active Directory Federation Services, Azure AD, or OAuth 2.0 / OIDC. Passwords for these accounts are not stored within Issuetrak and will require additional configuration in order to allow user login.
Some notes about these methods:
- Only mapped groups or OUs in the Identity Management section of Issuetrak will have users that can log in or be updated on login.
- Additional security for your Issuetrak site as the accounts are maintained in the Active Directory environment.
- AD Federation Services and Azure AD allow for two-factor authentication if it is enabled and configured in the Active Directory environment.
- AD Federation Services and Azure AD allow for the use of CAC Card/Smart Cards if they are configured for the AD environment. Active Directory (LDAP) can also use CAC Cards/Smart Cards if the site is configured as an on-premises installation and SSO is enabled for the site.
- Only Active Directory LDAP connection allows for bulk import of users. AD Federation Services and Azure AD will create and update accounts as users log in.
You can review the table below for a comparison between the different AD authentication method features.
Comparison of Third-Party Authentication Methods
Here is a comparison between the four third-party authentication methods with respect to Issuetrak.
|Capability||Active Directory||AD Federation Services||Azure AD Integration||OAuth 2.0 / OIDC|
|Can bulk import users||Yes, via LDAP||Yes, via LDAP||No||No|
|Supports Multifactor Authentication (MFA)||No||Yes||Yes||Yes|
|Needs service account||Yes||No||No||No|
|Single Sign-On||Yes, for on-premises only||Yes||Yes||Yes|
|Can map directory user attributes to Issuetrak user account UDFs||Yes, but limited to only certain attributes||Yes, can map any claim to any user text UDF||Yes, can map any claim to any user text UDF||Yes, can map any claim to any user text UDF|
|Secures Domain-Disabled User Accounts||Yes, inactivates user account||Yes, prevents sign-in||Yes, prevents sign-in||Yes, prevents sign-in|
|User Mappings Based On...||OU or Group||Claim||Claim||Claim|
Notes on Authentication Changes
|Issuetrak Auth → AD||Yes||Follow these steps|
|AD → Azure||Yes||Follow these steps|
|AD → AD FS||Yes||Follow these steps|
|AD FS → Azure AD||Possible||Via AD FS → AD → Azure*|
|Azure AD → AD FS||No||Not recommended|
- If you are changing from Issuetrak Authentication to AD (LDAP) the accounts will automatically be changed to LDAP login if the UserID and email address for the Issuetrak account match the account in AD being imported. Imports can be performed on login, manually, or through Scheduled Imports.
- If you are changing from Issuetrak Authentication type to AD FS or Azure Authentication, there will be account duplication requiring manual merges. It is recommended to always perform migrations from AD LDAP to your new authentication method if at all possible.
- If your procedures have you move a user account to a different Group/OU when the account is disabled, map the disabled account Group/OU so the changes are updated in Issuetrak.
- Self-Help Password Reset cannot be enabled for Active Directory authenticated accounts. Password resets will follow your Active Directory procedures to reset the user account.