Skip to main content

Humifortis

Adaptive authentication and identity risk control on top of your existing IAM.

Humifortis sits between your authentication layer and your applications. It watches every login, evaluates the risk in real time, and tells your IAM system whether to let the user through, challenge them with MFA, or block the session — without replacing anything you already have.


On-Premise Deployment — First-Class Option

Humifortis runs entirely on your own infrastructure. No cloud dependency, no data leaving your environment. Docker Compose or bare-metal, air-gapped environments included. This is not a secondary option — it is the primary way most teams deploy it.

Self-Hosted Deployment Guide


What It Does in a Nutshell

SituationWhat Humifortis Does
Login from a Tor exit nodeBlocks the session automatically
Same user from two countries 10 min apartFlags impossible travel → triggers MFA challenge
8 failed logins then sudden successBrute-force detected → blocks session
New device on a sensitive accountStep-up authentication triggered
Keycloak login succeeds, risk score is HIGHConnector returns BLOCK — Keycloak does not issue a token

The decision happens in under 100 ms, inline with the login flow.


How It Works

Your Users


[Keycloak / any IdP]
│ ← Connector installed as a plugin
│ → Sends login event to Humifortis
│ ← Gets back: Allow / Challenge MFA / Block


[Your Applications]
  1. Event arrives — login, MFA result, password change, session start
  2. Humifortis scores it — canonical signals + derived detectors (geo, velocity, device fingerprint, threat intel)
  3. Playbook runs — first matching rule fires an action: ALLOW, CHALLENGE_MFA, BLOCK, LOCK_ACCOUNT, REVOKE_OTHER_SESSIONS
  4. Result enforced — the connector acts on the decision inside your existing IAM, no policy logic on its side

Core Concepts

Risk Score (0–100)

Every identity carries a continuous score. It climbs when bad signals arrive, drops when trust is confirmed (e.g. MFA success), and slowly decays back to baseline when nothing suspicious happens.

Signals

Evidence that shifts the score:

  • Canonical — built-in standardized events (AUTH_LOGIN_FAILED, AUTH_MFA_SUCCESS, AUTH_IMPOSSIBLE_TRAVEL, …)
  • Derived — computed from patterns: velocity bursts, geo anomalies, device fingerprint shifts, Tor/VPN/proxy detection

Playbook

A prioritized rule list. When a score crosses a threshold, the first matching rule fires an action. Fully configurable in the UI — no code changes.

CAEP

Once a session is already open, Humifortis can push a signed Security Event Token to revoke or challenge it in real time — even while the user is mid-session.


What Humifortis Is NOT

  • ❌ Not a replacement for Keycloak, Okta, Auth0, or Active Directory
  • ❌ Not a SIEM — it does not store raw logs for compliance
  • ❌ Not a WAF — it does not inspect HTTP traffic
  • ✅ It is a risk intelligence layer on top of your existing IAM that makes authentication adaptive

Deployment Options

Self-Hosted (On-Premise)

Deploy on your own servers, private cloud, or Kubernetes. Docker Compose included. Your data never leaves your network.

  • ✅ Full data sovereignty
  • ✅ Air-gapped environments supported
  • ✅ On-premise or private cloud
  • ✅ Open-core — free to run

SaaS (Managed)

Fully managed. No infrastructure to maintain. Multi-tenant with strict isolation.

  • ✅ Zero infrastructure overhead
  • ✅ Automatic updates
  • ✅ Usage-based pricing
  • ✅ Enterprise SLA available

Compatible IAM Systems

SystemIntegrationStatus
KeycloakNative JAR connector — inline enforcement✅ Production
Any REST systemDirect API event push✅ Available
Custom applicationsREST API / webhooks✅ Available
Okta, Auth0Event push via API🔜 Connector coming
Active DirectoryAgent-based🔜 Planned

Next Steps