5.4 External Identity Mapping
Thinfinity® Workspace supports multiple external authentication standards, enabling organizations to integrate with modern identity providers and centralized login systems. This flexibility allows users to authenticate using protocols like OAuth 2.0, SAML, RADIUS, and Passkeys (WebAuthn), while administrators retain control over access policies by mapping those external identities to internal Users or Groups.
This chapter introduces the key authentication schemes supported by Thinfinity Workspace and explains the concept of mapping external identities to the roles and directory structures managed through your chosen Identity Provider.
OAuth 2.0
OAuth 2.0 is an open standard for delegated authorization. It allows users to authenticate using third-party services (like Google, Microsoft, Okta, etc.) without sharing their credentials directly with Thinfinity Workspace.
Use case: Ideal for organizations that rely on cloud-based identity providers or enterprise SSO platforms.
How it works: Users log in via a redirect to the external provider. Once authenticated, Thinfinity Workspace receives a token confirming identity.
OAuth Required Parameters
Virtual Path
It's recommended to keep the default path unless customizing an External IdP method.
Client ID
Identifies Thinfinity Workspace in the OAuth Server.
Client Secret
Authenticates the identity of the OAuth client when requesting access tokens from an OAuth provider.
Authorization URL
This is the OAuth 2.0 server address where Thinfinity Workspace validates users. It works in conjunction with the values entered in the Other Keys field. Completed by default with the info corresponding to the selected identity provider.
Authorization parameters
It's advised to keep the default path. Change it only if you are customizing your own External IdP method.
Custom redirect URL
Enter a specific URL that Thinfinity Workspace uses to redirect users back to its platform after they have successfully authenticated through the OAuth flow.
Token Validation extra parameters
The server where the validation code is exchanged for an access token, which grants access to user information. The client ID and client secret entered in the General tab are sent to this server for authentication.
Sign-Out URL
Enter a specific endpoint to allow users to log out or sign out of their session.
Get from URL
Profile information server URL
The token from the Token Validation Server is sent to the Information Server to retrieve user data. The response is a JSON object, parsed using the key specified in the Login username value at JSON profile field.
Add default parameters
This option is selected by default, and it indicates that the default parameters are added to the profile information.
Add custom parameters
To specify custom parameters, select this option and add the desired custom parameters in the associated field.
Send Basic Authentication header
By default, the complete Authentication header is transmitted. Select this option to include only the Basic Authentication header in the message.
Login username value in returned JSON
Specify the key in the JSON object returned by the Profile Information Server that represents the user's login username. This value will be used for mapping in the Mappings tab.
Get from Token
Token section
Numeric identifier of the token.
Login username value in returned JSON
Key in the JSON response from the Profile Information Server that contains the user's login name. Used for mapping in the Mappings tab.
SAML
SAML is an XML-based protocol used widely in enterprise environments for SSO.
Use case: Common in organizations using centralized directory services with SSO infrastructure, such as ADFS (Active Directory Federation Services).
How it works: Thinfinity acts as a SAML Service Provider, consuming identity assertions from a SAML IdP after successful user login.
SAML Required Parameters
General
Name
Default name of the authentication method. You can edit this as needed.
Virtual Path
Auto-filled virtual path to the authentication service, based on the Authentication Method name.
Service Identifier
URI of the Thinfinity Workspace server (where the service is installed).
Service Certificate File
Path to the Thinfinity Workspace SSL/TLS certificate file (self-signed or trusted).
Service Certificate Password
Password to access the service certificate file.
Identification Entity ID
Application ID assigned by the identity provider (e.g., Okta).
Sign Authentication Request
Enables signing of authentication requests (optional).
Single Sign-On Service URL
URL provided by the identity provider for SSO requests.
Sign-Out URL
URL used to log out from the identity provider (optional).
Partner Certificate File
Path to the X.509 certificate provided by the identity provider.
RADIUS
RADIUS is a protocol for centralizing authentication, authorization, and accounting. Thinfinity Workspace supports RADIUS-based authentication for environments requiring strong centralized credential verification.
Use case: Often used in secure, internal networks or VPN setups.
How it works: Thinfinity sends the user’s credentials to a RADIUS server, which validates them and responds with an access decision.
RADIUS Required Parameters
Server
Server IP
IP address of the RADIUS server handling authentication requests.
Port
Port number used to communicate with the RADIUS server.
Shared Secret
Secret key used to secure communication between Workspace and the RADIUS server.
Authentication Type
Type of authentication method supported by the RADIUS server.
Test Configuration
Tests the current settings to verify connectivity and correct configuration.
Passkeys (WebAuthn)
WebAuthn, part of the FIDO2 standard, enables passwordless authentication using Passkeys or hardware-based authenticators or security keys.
Use case: A modern and secure alternative to passwords, often used in environments focused on zero-trust security models.
How it works: Thinfinity verifies a cryptographic assertion generated by a registered authenticator tied to the user’s device or identity.
Mapping External Identities to the Chosen Identity Provider
Thinfinity Workspace allows you to map external identities (authenticated through OAuth, SAML, RADIUS, or Passkeys) to roles and groups managed by the configured Directory Service. This ensures that once authenticated, users are granted the appropriate level of access based on internal access control models.
Why This Matters:
Unifies access control: Even if authentication happens externally, authorization is still governed by Thinfinity’s internal RBAC.
Enables hybrid identity strategies: Organizations can use multiple authentication providers while maintaining a consistent role structure.
Reduces duplication: No need to redefine users or permissions — simply map external identities to roles already defined in your identity provider.
This mapping can be based on attributes such as:
Group membership claims (in OAuth or SAML).
Usernames or emails.
Custom claim values or tokens.
Last updated
Was this helpful?