Most cloud platforms sell compute first and identity later. That order creates the exact risk profile auditors dislike: public endpoints that grew faster than the access model.
On CITRICLOUD, identity is part of the edge. Authelia handles forward-auth and 2FA for operator surfaces. Keycloak covers SSO and federation when tenants need enterprise login.
The control chain
- Traffic hits Traefik with WAF and HSTS middlewares
- Forward-auth challenges sensitive routes via Authelia
- Application SSO can delegate to Keycloak for OIDC/SAML
- Audit-friendly logs capture auth decisions for review
What “default” actually changes
Defaults matter more than dashboards. When every new service inherits the same auth middlewares, teams stop inventing one-off login pages — and security reviews get shorter.
middlewares: - name: soc2-waf-chain - name: soc2-hsts - name: authelia-forwardauthWhere to go next
Read the Security page for the broader control set, or open Support if you need help wiring SSO for an enterprise tenant.
Thoughts on this article?
Tell us what to cover next — or ask a question about running on CITRICLOUD.



