4.2k

All integrations
Thales
Identity providers

Cerbos authorization for Thales SafeNet Trusted Access

Thales SafeNet Trusted Access provides enterprise single sign-on, MFA, and access management with scenario-based policies. Cerbos adds fine-grained, resource-level authorization using the identity attributes Thales provides, extending access control beyond the perimeter and into your applications.

Enterprise identity signals

Enterprise identity signals

Use Thales user attributes, group memberships, and directory data as inputs to Cerbos authorization policies

Inside the application

Inside the application

Extend Thales perimeter-level access management with resource-level authorization decisions inside your applications

Directory integration

Directory integration

Thales sources identity from Active Directory, LDAP, and cloud directories. Cerbos uses those attributes regardless of the underlying directory.

How Cerbos works with Thales Identity

Thales Identity handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.

Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How Cerbos works with Thales SafeNet Trusted Access

  1. Users authenticate via Thales SafeNet Trusted Access, Thales handles login, MFA, and scenario-based access policies. User attributes and group memberships are sourced from connected directories such as Active Directory or LDAP.
  2. Extract identity from the Thales token, Your application validates the SAML assertion or OIDC token from Thales and extracts the user's attributes, group memberships, and organizational data.
  3. Send identity and resource context to Cerbos, Pass the Thales user attributes as principal attributes alongside the target resource and desired action to the Cerbos PDP.
  4. Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Thales identity data and resource attributes, returning allow or deny. Your application enforces the result.

FAQ

How does Cerbos work with Thales SafeNet Trusted Access?

Thales SafeNet Trusted Access authenticates users and evaluates access policies at the application level using scenario-based rules. Cerbos takes the identity attributes from Thales-issued SAML assertions or OIDC tokens and evaluates them against your authorization policies to control access to individual resources and actions within your applications.

Can I use Thales group memberships in Cerbos policies?

Yes. Thales SafeNet sources user groups from Active Directory, LDAP, or its own user store and includes them in authentication tokens. Pass these group memberships to Cerbos as principal attributes and write policies that reference specific groups or combinations of group memberships.

Does Cerbos replace Thales access management policies?

No. Thales scenario-based policies govern application-level access and step-up authentication at the perimeter. Cerbos governs resource-level authorization inside your applications. They operate at different layers and complement each other.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Auth0
Auth0Map Auth0 Actions, Organizations, and roles to Cerbos policy inputs
Identity providers
Authentik
AuthentikAuthentik property mappings shape token claims for Cerbos policy inputs
Identity providers
AWS Cognito
AWS CognitoCognito user pool groups and custom attributes as Cerbos policy inputs
Identity providers
Clerk
ClerkClerk session claims and Organizations drive Cerbos policy evaluation
Identity providers
Curity
Curity Identity ServerCurity token procedure claims as principal attributes in Cerbos
Identity providers
Descope
DescopeDescope JWT claims, tenant data, and role assignments feed into Cerbos policy evaluation
Identity providers

Cerbos + Thales Identity

  • Cerbos extends Thales Identity roles with fine-grained, attribute-based permissions
  • Policies defined in human-readable YAML, managed as code
  • Authorization logic decoupled from application code
  • Sub-millisecond policy evaluation via stateless PDP
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines