What is Keycloak ?

Keycloak is an Identity and Access Management (IAM) system which is free and open-source. It can easily secure your apps and services with the bare minimum amount of code. Keycloak handles your User ID, your User Federation, Identity brokering, User role based authorization and your Social Login features.

Users log in to Keycloak instead of logging in to different services . This means that you won’t have to manage users for each service you offer because of Keycloak. When a person signs up for Keycloak, they don’t have to sign up for other services again.

 

What is Reverse Proxy ?

A Reverse Proxy Server is a server that sits in front of your web server or origin server and the clients trying to access it. It protects the identity of the origin server by directing traffic from users towards itself, before sending it to the origin server of your website.

 

Why does your organization need a Reverse Proxy Server with Keycloak?

Your organization can strengthen the security of your cloud applications by only allowing access to the users who have been authenticated with Keycloak using a Reverse Proxy server configured for access control. Whenever the user tries to access an application you want to protect, users are redirected and forced to login with keycloak first. If the reverse proxy server finds a valid keycloak session, the user is given access to the application and access is denied for non federated users.

To manage data loss prevention, threat protection and to provide an extra layer of security, connection is established between cloud apps and keycloak using the Reverse Proxy server. A Reverse Proxy server can be configured and used to safeguard SaaS applications (such as Salesforce, Google WorkSpace, Office365) by routing all end-user traffic through the Reverse Proxy Server, allowing it to detect irregularities. When a SAML-based app uses an Identity Provider (such as Keycloak, Okta, ADFS, Azure AD) for SSO authentication, users are sent back to the app after authentication, allowing access from the Reverse Proxy server.

Keycloak Reverse Proxy Authentication

How to authenticate users with Keycloak ?

Without miniOrange Reverse Proxy Server?

Let’s say we have a user Alice. Alice enters the URL and tries to access the protected area of a cloud application. Alice would be able to access the application server and traffic would reach the application server even when the user is not authorized to access or not authenticated with your company federated login which is Keycloak IAM.

This will allow attackers to attempt DOS attacks on your system, or attempt a penetration attack to find vulnerabilities in your application and get into your system through backdoors.

 

With miniOrange Reverse Proxy?

Now let’s introduce a Reverse proxy server and put your cloud applications behind the reverse proxy server and connect to Keycloak with SAML 2.0 federated SSO connection.

When the user tries to access the application, the Reverse Proxy server validates if the user is logged in and sends users for Keycloak authentication before giving any access.

With this approach, Keycloak authenticated users can easily access the application features and services, and you can block an attacker’s traffic from reaching your applications, protect any kind of penetration or attacks on your system even if there are any open vulnerabilities, and ensure an extra layer of security, threat protection, and data loss prevention.

 

Conclusion: 

Keycloak with Reverse Proxy  becomes one of the mandates for organizational infrastructure, given the need and efficacy necessary for security within an organization. Aside from providing an extra layer of security, it is extremely scalable for applications, adaptable for future changes, and improves efficiency. So, if you’re looking to configure a Keycloak with a Reverse Proxy or any other IAM for your company, miniOrange fits the bill with world-class service and a reasonable pricing.

 

Other Reverse Proxy solutions:

  1. Bot traffic mitigation
  2. Load balancing
  3. IP restriction
  4. Content caching
  5. Secure Google Workspace Apps

Leave a Reply

Your email address will not be published. Required fields are marked *