# Mappings Tab

The **Mappings** tab allows administrators to link different authentication systems with Users or Groups from the chosen Directory Services. 

To access mappings configuration settings, navigate to **Configuration Manager>Authentication>Mappings**.

<figure><img src="https://3742065333-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FX0lzJZltf6hN8YNESjYa%2Fuploads%2FWl6hjYQfMaKMq3QujUAu%2F8.5_Config%20Manager_Authentication%20tab_New.png?alt=media&#x26;token=f3ab883d-97df-4d22-a6d5-e268759ff90b" alt="" width="563"><figcaption></figcaption></figure>

A list of already defined identity mappings is displayed.

<table><thead><tr><th width="108.333251953125">Option</th><th>Description</th></tr></thead><tbody><tr><td>Enabled</td><td>This option is selected by default for any newly added mapping. Deselect to disable an identity mapping in the list.</td></tr><tr><td>Search</td><td>Allows looking up an identity mapping.</td></tr><tr><td>Import</td><td>Allows uploading a JSON file to replace the current user mapping configuration. Since this process will <strong>completely overwrite the existing configuration without the possibility of rollback</strong>, it is very important to first perform an export of the current configuration in order to have a backup.</td></tr><tr><td>Export</td><td>Allows generating a JSON file containing the current user mapping configuration. Note however that for security reasons, <strong>user passwords are not included in the exported file</strong>. </td></tr><tr><td>Add</td><td>Click to add a new identity mapping/association. See the paragraphs below for details.</td></tr><tr><td>Remove</td><td>Click to delete the selected association(s).</td></tr></tbody></table>

Clicking **Add** will display the following dialog window.

<figure><img src="https://3742065333-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FX0lzJZltf6hN8YNESjYa%2Fuploads%2FCxGqtH9A8XK17uzF0QkY%2F8.5_%5BPDT-751%5D_Config%20Manager_Authentication%20External%20ID%20Mapping.png?alt=media&#x26;token=9abeeb82-5500-4e10-be64-7dba0515b100" alt="" width="416"><figcaption></figcaption></figure>

The following options are available.

<table><thead><tr><th width="210.5555419921875">Option</th><th>Description</th></tr></thead><tbody><tr><td>Method</td><td>This field displays a list of <a href="../../../thinfinity-workspace-web-manager/settings/configuration/authentication/authentication-methods">external authentication</a> methods defined in the system.</td></tr><tr><td>ID Pattern</td><td>Click the <strong>three dots</strong> button to specify and test an ID pattern. </td></tr><tr><td>Association</td><td>The fields and options available in this dialog change according to the selection made from this field. <br>The option selected by default in this field is <strong>Inherited permissions from users/groups</strong>. <br>When <strong>Inherited permissions from users/groups</strong> is selected, the external user credentials provided at login inherit the permissions of the specified local user or group. This configuration allows the mapped SSO credentials to automatically assume the access rights and restrictions of the chosen local user or group, streamlining permissions management and ensuring consistency across user profiles. </td></tr><tr><td>Inherited Permissions from users and groups</td><td>This field shows a list permissions from users and/or group already defined in the system. </td></tr><tr><td>Add</td><td>Allows adding users and/or groups to the list of <strong>Inherited permissions</strong>...</td></tr><tr><td>Remote</td><td>Allows removing an entry from the list.</td></tr></tbody></table>

When **Ask for credentials** option is selected from the **Association** field the **External ID Mapping** dialog window is displayed as in the following image.

<div data-with-frame="true"><figure><img src="https://3742065333-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FX0lzJZltf6hN8YNESjYa%2Fuploads%2FiEaCa2yamMKnPRgl8QOx%2F8.5_%5BPDT-751%5D_Config%20Manager_External%20ID%20Mapping.png?alt=media&#x26;token=70e0122e-e672-4f3b-a064-a54bd827f706" alt="" width="416"><figcaption></figcaption></figure></div>

If **Ask for credentials to associate** is selected, when the user tries to log in with the selected authentication method they will be prompted to specify which credentials their account will be associated with. Subsequently, all Access Profiles where the user will have access will then utilize this association when configured with the **Use authenticated credentials** setting.

The following additional options are available in the **External ID Mapping** dialog window:

<table><thead><tr><th width="148.33331298828125">Option</th><th>Description</th></tr></thead><tbody><tr><td>Restrict to group</td><td>Use this field to restrict this ID mapping to a specific group of users. Click the associated <strong>three dots</strong> button to display the <strong>Find Users or Groups</strong> dialog.<br><br><img src="https://3742065333-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FX0lzJZltf6hN8YNESjYa%2Fuploads%2FD56sjDk1yXgHYtv6uiPu%2Fimage.png?alt=media&#x26;token=fc2a0300-3995-4e05-be29-7d10961e9088" alt=""></td></tr><tr><td>Username</td><td><p>This field only becomes available if either <strong>Associate existing username</strong> or <strong>Create username if doesn’t exist and associate</strong> is selected from <strong>Association</strong> field. <br><br><strong>Associate existing username</strong> option allows mapping the configured SSO user to the permissions of specific local domain user.<br><br><strong>Create username if doesn’t exist and associate</strong> option allows mapping users from external identity providers to local or domain users on the host machine, even if these users don’t already exist in the host environment. <strong>Thinfinity Workspace</strong> captures the external ID of any verified user logging in from an external domain and automatically generates a corresponding local account on the host machine. This new account will inherit permissions predefined by the administrator, ensuring that users receive immediate and secure access aligned with organizational policies.<br></p><p>Use the <strong>three dots</strong> button to find one of the usernames defined in the currently selected Directory Service(s).</p></td></tr><tr><td>Password mode</td><td>Use this field to select the password mode. Available options: No password, Ask, Existing, New or replace (fixed), and New or replace (hash). </td></tr><tr><td>Password salt</td><td>Only available if <strong>New or replace (hash)</strong> option is selected from the previous field. <br>A random bit of data added to a password before it is processed through a hashing algorithm.</td></tr><tr><td>Password</td><td>Shows the generated password.</td></tr><tr><td>Test</td><td>Verifies the stored credentials.</td></tr></tbody></table>

{% hint style="info" %}
**Reference**

For details on how to configure mappings in **Thinfinity® Workspace**, read [this article](https://kb.cybelesoft.com/portal/en/kb/articles/how-to-configure-workspace-mappings#Mappings) in our Knowledge Base.
{% endhint %}