6.3.1 Primary Brokers

The primary Broker it is the operational core of the Thinfinity® Workspace. It integrates with IdPs, manages user sessions and ensures users are directed to the correct resources based on their credentials and permissions, among other functions. Also, it is responsible for managing and routing virtualization workloads, ensuring optimal performance and resource utilization.

Key Roles and Responsibilities of the Primary Broker

Authentication and Authorization

The Primary Broker is central to user authentication and authorization, ensuring integration with external identity providers. It manages user authentication, validates user credentials against IdPs or through 2FA, and integrates with Microsoft Active Directory, OAuth, and SAML.

It also enforces access control, including policy-based access control and role-based permissions, to ensure users can only access authorized resources.

User Session Handling

It is responsible for managing user sessions, orchestrating session initiation, and coordinating session logistics. It handles user requests and directs them to appropriate application pools or resources.

Resource Allocation and Management

It allocates resources and manages resource distribution. Dynamically allocates resources based on real-time demand and availability.

It manages traffic and directs user requests to the appropriate application pools or VPCs. Optimizes the performance of virtual desktops and applications by managing the virtualization process.

Interaction with Gateway

It operates in conjunction with the Gateway, which forwards authentication requests to the Primary Broker. The Primary Broker, in turn, participates in establishing secure reverse connections with the Gateway.

Interaction with Secondary Brokers

The Primary Broker works alongside the Secondary Brokers when they exist for enhanced scaling and networking. It manages connection routing and load balancing for internal and external users, working with Secondary Brokers to allocate remote resources. The Primary Broker also monitors their activity and performs load balancing among them.

Security Features

The Primary Broker is integral to Thinfinity's ZTNA architecture. It enforces the principle of least privilege access (PoLP), emphasizes continuous authentication by validating credentials and monitoring sessions, and embodies policy-based access control by coordinating the security policies. Does not require inbound port openings on internal networks and communicates with the Gateway via outbound WebSockets and TLS 1.3 encryption.

Deployment Location

It is typically located within the target or internal network. However, in some configurations, it can also be located in the DMZ or Cloud. It can be installed on the same host as the Gateway for simpler deployments, or on a separate host in a distributed deployment.