DownloadGet a QuoteConnect with Us

6.3 External Identity Mapping

Thinfinity® Workspace supports multiple external authentication standards, enabling organizations to integrate with modern identity providers and centralized login systems. This flexibility allows users to authenticate using protocols like OAuth 2.0, SAML, RADIUS, and Passkeys (WebAuthn), while administrators retain control over access policies by mapping those external identities to internal Users or Groups.

This chapter introduces the key authentication schemes supported by Thinfinity Workspace and explains the concept of mapping external identities to the roles and directory structures managed through your chosen Identity Provider.

Why This Matters

  • Unifies access control: Even if authentication happens externally, authorization is still governed by Thinfinity’s internal RBAC.

  • Enables hybrid identity strategies: Organizations can use multiple authentication providers while maintaining a consistent role structure.

  • Reduces duplication: No need to redefine users or permissions — simply map external identities to roles already defined in your identity provider.

This mapping can be based on attributes such as:

  • Group membership claims (in OAuth or SAML).

  • Usernames or emails.

  • Custom claim values or tokens.

Note

Navigate to the How to Configure Workspace Mappings section to understand the procedures for configuring mappings within Thinfinity Workspace.

OAuth 2.0

OAuth 2.0 is an open standard for delegated authorization. It allows users to authenticate using third-party services (like Google, Microsoft, Okta, etc.) without sharing their credentials directly with Thinfinity Workspace.

  • Use case: Ideal for organizations that rely on cloud-based identity providers or enterprise SSO platforms.

  • How it works: Users log in via a redirect to the external provider. Once authenticated, Thinfinity Workspace receives a token confirming identity.

Note

A comprehensive list of configuration articles can be found in this section of our online Knowledge Base.

SAML

SAML is an XML-based protocol used widely in enterprise environments for SSO.

  • Use case: Common in organizations using centralized directory services with SSO infrastructure, such as ADFS (Active Directory Federation Services).

  • How it works: Thinfinity acts as a SAML Service Provider, consuming identity assertions from a SAML IdP after successful user login.

Note

A comprehensive list of configuration articles can be found in this section of our online Knowledge Base.

RADIUS

RADIUS is a protocol for centralizing authentication, authorization, and accounting. Thinfinity Workspace supports RADIUS-based authentication for environments requiring strong centralized credential verification.

  • Use case: Often used in secure, internal networks or VPN setups.

  • How it works: Thinfinity sends the user’s credentials to a RADIUS server, which validates them and responds with an access decision.

Note

Please review the following article to find out how to configure single sign-on with RADIUS.

Passkeys (WebAuthn)

WebAuthn, part of the FIDO2 standard, enables passwordless authentication using Passkeys or hardware-based authenticators or security keys.

  • Use case: A modern and secure alternative to passwords, often used in environments focused on zero-trust security models.

  • How it works: Thinfinity verifies a cryptographic assertion generated by a registered authenticator tied to the user’s device or identity.

Previous6.2 Authentication SchemesNext6.4 Access Management

Last updated

Was this helpful?