DownloadGet a QuoteConnect with Us

5.4 External Identity Mapping

Thinfinity Workspace supports multiple external authentication standards, enabling organizations to integrate with modern identity providers and centralized login systems. This flexibility allows users to authenticate using protocols like OAuth 2.0, SAML, RADIUS, and Passkeys (WebAuthn), while administrators retain control over access policies by mapping those external identities to internal roles and permissions.

This chapter introduces the key authentication schemes supported by Thinfinity Workspace and explains the concept of mapping external identities to the roles and directory structures managed through your chosen Identity Provider.

OAuth 2.0

OAuth 2.0 is an open standard for delegated authorization. It allows users to authenticate using third-party services (like Google, Microsoft, Okta, etc.) without sharing their credentials directly with Thinfinity Workspace.

  • Use case: Ideal for organizations that rely on cloud-based identity providers or enterprise SSO platforms.

  • How it works: Users log in via a redirect to the external provider. Once authenticated, Thinfinity receives a token confirming identity.

OAuth Required Parameters

Option
Description

Virtual Path

Customize it and make sure your address is unique and web compatible. It must follow this format: http(s)://ThinfinityDomain:port/VirtualPath/

Client ID

Identifies Thinfinity Workspace in the OAuth Server.

Client Secret

Authenticates the identity of the OAuth client when requesting access tokens from an OAuth provider.

SAML

Security Assertion Markup Language (SAML) is an XML-based protocol used widely in enterprise environments for Single Sign-On (SSO).

  • Use case: Common in organizations using centralized directory services with SSO infrastructure, such as Active Directory Federation Services (ADFS).

  • How it works: Thinfinity acts as a SAML Service Provider (SP), consuming identity assertions from a SAML Identity Provider (IdP) after successful user login.

SAML Required Parameters

General

Option
Description

Name

Default name of the authentication method. You can edit this as needed.

Virtual Path

Auto-filled virtual path to the authentication service, based on the Authentication Method name.

Service Identifier

URI of the Thinfinity Workspace server (where the service is installed).

Service Certificate File

Path to the Thinfinity Workspace SSL/TLS certificate file (self-signed or trusted).

Service Certificate Password

Password to access the service certificate file.

Identification Entity ID

Application ID assigned by the identity provider (e.g., Okta).

Sign Authentication Request

Enables signing of authentication requests (optional).

Single Sign-On Service URL

URL provided by the identity provider for SSO requests.

Sign-Out URL

URL used to log out from the identity provider (optional).

Partner Certificate File

Path to the X.509 certificate provided by the identity provider.

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a protocol for centralizing authentication, authorization, and accounting (AAA). Thinfinity Workspace supports RADIUS-based authentication for environments requiring strong centralized credential verification.

  • Use case: Often used in secure, internal networks or VPN setups.

  • How it works: Thinfinity sends the user’s credentials to a RADIUS server, which validates them and responds with an access decision.

RADIUS Required Parameters

Server

Option
Description

Server IP

IP address of the RADIUS server handling authentication requests.

Port

Port number used to communicate with the RADIUS server.

Shared Secret

Secret key used to secure communication between Workspace and the RADIUS server.

Authentication Type

Type of authentication method supported by the RADIUS server.

Test Configuration

Tests the current settings to verify connectivity and correct configuration.

Passkeys (WebAuthn)

WebAuthn, part of the FIDO2 standard, enables passwordless authentication using Passkeys or hardware-based authenticators or security keys.

  • Use case: A modern and secure alternative to passwords, often used in environments focused on zero-trust security models.

  • How it works: Thinfinity verifies a cryptographic assertion generated by a registered authenticator tied to the user’s device or identity.

Mapping External Identities to the Chosen Identity Provider

Thinfinity Workspace allows you to map external identities (authenticated through OAuth, SAML, RADIUS, or Passkeys) to roles and groups managed by the configured Directory Service. This ensures that once authenticated, users are granted the appropriate level of access based on internal access control models.

Why This Matters:

  • Unifies access control: Even if authentication happens externally, authorization is still governed by Thinfinity’s internal RBAC.

  • Enables hybrid identity strategies: Organizations can use multiple authentication providers while maintaining a consistent role structure.

  • Reduces duplication: No need to redefine users or permissions — simply map external identities to roles already defined in your identity provider.

This mapping can be based on attributes such as:

  • Group membership claims (in OAuth or SAML)

  • Usernames or emails

  • Custom claim values or tokens

Previous5.3 Authentication SchemesNext5.5 Access Management

Last updated

Was this helpful?