CITRICLOUD — Building Digital Experiences
Identity by default
Security8 Jul 20268 min

Identity by default

How Authelia and Keycloak protect every surface — and why we refuse to treat auth as an optional plugin.

MK

Mira Kovacs

Security Engineering

ShareXLinkedInEmail

Most cloud platforms sell compute first and identity later. That order creates the exact risk profile auditors dislike: public endpoints that grew faster than the access model.

On CITRICLOUD, identity is part of the edge. Authelia handles forward-auth and 2FA for operator surfaces. Keycloak covers SSO and federation when tenants need enterprise login.

The control chain

  1. Traffic hits Traefik with WAF and HSTS middlewares
  2. Forward-auth challenges sensitive routes via Authelia
  3. Application SSO can delegate to Keycloak for OIDC/SAML
  4. Audit-friendly logs capture auth decisions for review

What “default” actually changes

Defaults matter more than dashboards. When every new service inherits the same auth middlewares, teams stop inventing one-off login pages — and security reviews get shorter.

textCITRICLOUD
middlewares: - name: soc2-waf-chain - name: soc2-hsts - name: authelia-forwardauth

Where to go next

Read the Security page for the broader control set, or open Support if you need help wiring SSO for an enterprise tenant.

Thoughts on this article?

Tell us what to cover next — or ask a question about running on CITRICLOUD.

Related articles

Keycloak SSO for tenants
Security9 min

Keycloak SSO for tenants

Enterprise buyers expect SSO on day one. How we wire Keycloak so each tenant can bring their IdP without fracturing the platform.

MK

Mira Kovacs

Zero-trust networking on CITRICLOUD
Security7 min

Zero-trust networking on CITRICLOUD

Stop trusting the LAN. How we authenticate every hop with identity-aware networking and deny-by-default paths.

MK

Mira Kovacs

A SOC2-minded edge
Security7 min

A SOC2-minded edge

WAF, HSTS, rate limits, and forward-auth — the middleware stack we put in front of public endpoints.

MK

Mira Kovacs

Newsletter

Platform notes in your inbox

Product updates, architecture write-ups, and security notes — no spam, unsubscribe anytime.

By subscribing you agree to our Privacy policy.