Can Keycloak act as a zero trust web proxy (ie. Cloudflare Access replacement)?

Hi, our small org (15 ppl) is looking for a self hosted solution that works similarly to Cloudflare Access, which solves the problem we have decently well, but requires full control of our domain’s zone, which isn’t something we want to migrate out of AWS. Our goal is to secure our internal reporting web instance (with a lot of sensitive data) and eliminate our VPN.

We’re looking at alternative solutions like Pritunl Zero and Pomerium, and I had looked at Keycloak as an SSO provider to connect to our active directory (which we want to move to AWS Active Directory).

However, now I’m wondering if Keycloak really plays that role? Does it act as a standard SSO provider that Pritunl can talk to? Their docs only explain connecting to Okta, Azure AD, and a few others. Or, can Keycloak play the full role of highly secure access proxy, including authentication?

Any advice here would be much appreciated.

Keycloak is identity provider (IdP). It doesn’t act as proxy, so no. BTW there are some service provider codes (adapters, libs,…), which users name as keycloak, but I would name them as side projects - they are really not a proxies from the architecture perspective.

However, there are non keycloak apps, which can act as auth proxies and can work with any IdP via standardized SSO protocols such as Open ID Connect, SAML (both of them are supported by Keycloak). So if Pritunl works with those SSO protocols, then it should work also with the Keycloak. Evem standard webservers e. g. Apache, Nginx can do that with right modules. But I would use more specialized authentication/authorizatiom proxies.

Keycloak team was working on auth OIDC proxy - louketo project, but it was deprecated ( there is quite active fork on GitHub).