How to protect access to Service Desk Help Portal / OnDemand

I would like to use SD w/ Help Portal but I'm struggling to see how can I protect access to the content exposed there.

My scenario:

• I have a webapp where users authenticate against an external SSO (OAuth2)
• This gives me reference tokens (no JWT) that I can validate and extract user data using a token endpoint
• I would like to give users authenticated this way access to SD Portal
• Other users should not be able to see any content in the Portal
• I can't create my users as customers and have them go through Sign-On / Sign-In process
• I could potentially require them to Sign In when submitting a ticket and to track its progress

As far as I have seen the portals are either public (and accessible using a guessable URL) or private (where users are taken to a sign in page). Is there something else I missed in the documentation?