If you are a system administrator and want to implement Zero Trust in your infrastructure, learn about Couper's ready-to-use OpenID Connect (OIDC) Gateway.
It verifies the identity of an end-user based on the (two-factor) authentication performed by your OpenID Provider.
Couper's OIDC Gateway adds a new access control layer to Web applications and services. It is placed between Internet users and the application running in your network. No changes to the application are required. Therefore it is especially suitable for commercial off-the-shelve software (COTS) or legacy systems.
Users connecting to your application must first authenticate themselves against an Identity Provider like Google API, Azure AD, Keycloak etc. Then, Couper OIDC Gateway will only allow verified users to access the secured application.
In addition to securing applications in your network, e.g. as an alternative to VPN, the Couper OIDC gateway can help you comply with security policies such as multi-factor authentication (MFA).
The Couper OIDC gateway only needs a few configuration settings to work:
Login to your OpenID Provider (Google, Keycloak, Azure AD, ...) and create a configuration for a Relying party. (Depending on the product this could also be called client, application or connection).
Configure the callback URL – where the Couper gateway is running. Note the provided Client ID and Client Secret.
Configure the Couper OIDC gateway with the OpenID provider's OpenID configuration URL, and the Client credentials from step 2. You have to generate a token secret and tell Couper how to connect to the actual application (origin) to be protected.Done. That's all it takes!
For years virtual private networks (VPNs) were used to create Intranets or company networks to run applications for employees that should not be used by outsiders. They often grow into one big network zone where many services run.
They create a false impression of security: The network is protected, so applications running there are automatically secure, too.
The principle of least privilege mandates that access rights should be given deliberately. With remote and hybrid work models proliferating and increased collaboration with external contractors, it becomes nearly impossible to follow that rule, given access to a VPN opens up an entire network.
Zero trust architectures work differently: They don't base trust on network connectivity or location. Every user needs to authorize with every service first - even if they are employees and use the office's local network.
To manage the amount of permissions necessary to map all users' privileges to their applications, usually central systems providing identity and authorization services are deployed. They are often used together with enterprise user databases like Active Directories. Assigning permissions via group keeps everything manageable.
The Couper OIDC Gateway helps you to apply the Zero Trust model in your infrastructure. It restricts access to applications based on the identity of the user. The authentication is delegated to an OIDC identity provider.