Use of Reverse Proxy

An RP-PEP (Reverse Proxy-Policy Enforcement Point) is a gateway through which all incoming and outgoing data of a connected application is routed. Unlike a Web Application Firewall (WAF), the RP-PEP does not control the data, but only authorize access using a coarse grained role (.ALLOW-role). eIAM integration with RP-PEP and Access Management

Standard integration does not include the use of a RP-PEP, but will use an STS-PEP (or PEP-less) setup. Only integrations into SZ+ zone and increased protection needs according to Si001 will require the use of a RP-PEP. eIAM distinguishes different authentication strengths according to . According to the current zone policy, eIAM only allows QoA min. 50 for SZ+ and BV network.

Si001 - Basic IT protection in the Federal Administration

The need for RP-PEP from the Federal Government's point of view is defined in Si001 - Basic IT protection in the Federal Administration (replaces Si002 and Si003. or integrates them). 
  • For SZ+ and BV-Netz, an RP-PEP must precede the application. The PEP must ensure authentication at the zone transition.
    • It does not have to be an eIAM RP-PEP.
    • eIAM distinguishes different authentication strengths according to . According to the current zone policy, eIAM only allows QoA min. 50 for SZ+ and BV network.
  • Resources in the SZ (not SZ+) must be able to be exposed without an eIAM RP-PEP.

The use of eIAM RP-PEPs should be minimised from eIAM's point of view for the following reasons:

  • The integration and operation of the specialist application in eIAM becomes more expensive and complicated.
    • Increased testing
    • Releasing management (PEP and application) 
      • Both updates to the eIAM PEP and releases of the application itself always involve the eIAM RP-PEP.
    • Coordination
      • For each change, several organisational units (if necessary, across several offices and companies) must be coordinated
    • Coordination
      • More components are involved, components that one does not operate oneself
    • RP-PEP hardly increases the security of an application
      • WAF comes from BIT (doesn't need RP-PEP).

The need from a customer project perspective to still use an RP-PEP could be:

  • SSO requirements on existing integrations with RP-PEP and reusing the same FQDN.
  • Application to be integrated under an existing FQDN at eIAM as RP-PEP.
  • Enhance security for application. 
    • LB-WAF is already a reverse proxy.
    • eIAM RP-PEP can filter URL Paths.
    • No stack traces and cookies are given to the browser.