Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

OneWelcome Identity Platform
- Explore Thales Docs

IDAAS core
User journey orchestration
Consent and preference management
Consent Management v2
- Admin UI guide
- Consent Management v2 APIs
Identity broker
Delegated User Management v2
Externalized authorization
Delegated user management
- Getting started
- Roles
- Rules
- User management
- Self service page
- Data
- APIs
- Apps
- Jobs
- Reports
Risk management
- Essential rules
- Default policies (Essential)
Mobile identity
- Mobile identity - Access component
- Mobile identity - Tulip
Mobile SDK
API references
Release notes and FAQ
Policy-Based Authorization Manager
Integrations
Identity Orchestrator (IO)

All

All

Authorizers

Token Enrichment Authorization Pattern

Please Note:

Policy-Based Authorization Manager
Platform Navigation
User Portal
- About the platform
- Navigation
- Getting Started
  - Logging In and Out
  - Platform Hierarchy
  - Platform Permissions
- About Tenants
  - Hybrid Agent Key Settings
  - Configuring an IDP for the Tenant
  - Tenant Settings
- AI Capabilities
  - Policy Metadata
- About Environments
  - Environment Settings
  - Managing Environments
  - Managing Workspaces
  - About Scopes
    - Managing Scopes
    - Managing Scope Authentication
  - About Secret Stores
    - Managing Secret Stores
    - Configuring Store Types
  - Managing Authorizers
- About Audit Reports
  - Administration Audit Report
  - Authorization Audit Report
- About PAAs and PIP Settings
  - Policy Authorization Agent
    - Managing Policy Authorization Agents (PAA)
  - Policy Information Point (PIP)
    - Data Sources
- Identity Workspace
  - Identity Workspace Settings
  - Managing Identity Attributes
  - Managing Identity Sources
  - Managing Identity Mapper Sets
  - Managing Identity Matchers
  - Managing Dynamic Groups
- Authorization Workspace
  - Authorization Workspace Settings
  - Request Attributes
  - Prerequisites for Building Policies
  - About Assets and Asset Types
    - Asset Type Settings
    - Managing Asset Types
    - Managing Asset Attributes
    - Managing Assets
    - Managing Actions
    - Managing Rulesets
  - About Applications
    - Application Settings
    - Managing Applications
  - About API Mappers
    - Managing API Mappers
  - About Conditions
    - Managing Conditions
- About Policies
  - Creating Policies
  - Managing Policies
  - Vendor Compare
  - Policy Lifecycle
  - Policy Custom Attributes
  - Policy Authoring for Data
    - Data Access Policies
    - Dynamic Data Mapping
    - Google BigQuery
- About the Certification Process
  - Certification Process Steps
- Authorization Audit Configuration
Admin Portal
- Thales Agent
- IDP authenticator enrichment
- Policy Decision Point (PDP)
  - Enabling SSL for Runtime
  - PDP caching options
  - Authorization audit configuration
Authorizers
- SaaS Authorization Management
- Token Enrichment Authorization Pattern
- API Access Authorization Pattern
- Data Access Authorization Pattern

Was this document helpful? Yes No

Feedback Sent!

If you like, you can provide additional feedback.

OneWelcome Identity Platform
Policy-Based Authorization Manager
Authorizers
Token Enrichment Authorization Pattern

Token Enrichment Authorization Pattern

With the Token Enrichment Authorization Pattern, Thales Authorizers dynamically enrich user authorizations by calculating custom entitlements or claims based on policies, which are then served to consuming services.

IDP Authorizers help you seamlessly integrate your existing IDP systems with the Platform's dynamic Authorization calculation. This integration enables you to define fine-grained Authorization Policies, enforce access rules, and manage user privileges across your entire IDP ecosystem by enriching user claims during the user's authentication journey.

The IDP Authorizer integrates the IDP authentication flow with the Thales Token Enrichment Service, establishing a connection and initiating a request for Policy-based, real-time calculated user claims by Thales’s PDP, which are then included in the user’s token during generation by the IDP.

This process allows applications and services that rely on user token claims for access management to seamlessly benefit from the dynamic enrichment of claims provided by Thales during the authentication flow.

Use-case Example

Use-case example

Explanation

User Authenticates to the IDP.
IDP calls out to Thales to request which claims the user is authorized to have.
Thales real time calculated claims added by the IDP and enriches the user token.
IDP signs the JWT and it is provided to the application.

An additional enrichment flow supported by other Thales Authorizers can leverage Thales' dynamic authorization capabilities. These authorizers calculate entitlements based on policies to enrich service API requests, which are then used by customer services during internal authorization enforcement.

How Token Enrichment Works

Token enrichment

User Authenticates to the IDP
IDP calls out to Thales and request which claims and claims values the user is authorized to have.
Claims are added to the JWT
JWT is signed and provided to the Application.

Token Enrichment Authorizers

Thales offers the following Token Enrichment Authorizers:

Okta
Auth0
Entra ID
Ping

On this page

OneWelcome Identity Platform

© Copyright 2019-2026, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Support Contacts
Legal
- End User License Agreement
- Terms of Service

© Copyright 2019-2026, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com