Humifortis
Adaptive authentication and identity risk control on top of your existing IAM.
Humifortis sits between your authentication layer and your applications. It watches every login, evaluates the risk in real time, and tells your IAM system whether to let the user through, challenge them with MFA, or block the session — without replacing anything you already have.
Humifortis runs entirely on your own infrastructure. No cloud dependency, no data leaving your environment. Docker Compose or bare-metal, air-gapped environments included. This is not a secondary option — it is the primary way most teams deploy it.
What It Does in a Nutshell
| Situation | What Humifortis Does |
|---|---|
| Login from a Tor exit node | Blocks the session automatically |
| Same user from two countries 10 min apart | Flags impossible travel → triggers MFA challenge |
| 8 failed logins then sudden success | Brute-force detected → blocks session |
| New device on a sensitive account | Step-up authentication triggered |
| Keycloak login succeeds, risk score is HIGH | Connector returns BLOCK — Keycloak does not issue a token |
The decision happens in under 100 ms, inline with the login flow.
How It Works
Your Users
│
▼
[Keycloak / any IdP]
│ ← Connector installed as a plugin
│ → Sends login event to Humifortis
│ ← Gets back: Allow / Challenge MFA / Block
│
▼
[Your Applications]
- Event arrives — login, MFA result, password change, session start
- Humifortis scores it — canonical signals + derived detectors (geo, velocity, device fingerprint, threat intel)
- Playbook runs — first matching rule fires an action:
ALLOW,CHALLENGE_MFA,BLOCK,LOCK_ACCOUNT,REVOKE_OTHER_SESSIONS - Result enforced — the connector acts on the decision inside your existing IAM, no policy logic on its side
Core Concepts
Risk Score (0–100)
Every identity carries a continuous score. It climbs when bad signals arrive, drops when trust is confirmed (e.g. MFA success), and slowly decays back to baseline when nothing suspicious happens.
Signals
Evidence that shifts the score:
- Canonical — built-in standardized events (
AUTH_LOGIN_FAILED,AUTH_MFA_SUCCESS,AUTH_IMPOSSIBLE_TRAVEL, …) - Derived — computed from patterns: velocity bursts, geo anomalies, device fingerprint shifts, Tor/VPN/proxy detection
Playbook
A prioritized rule list. When a score crosses a threshold, the first matching rule fires an action. Fully configurable in the UI — no code changes.
CAEP
Once a session is already open, Humifortis can push a signed Security Event Token to revoke or challenge it in real time — even while the user is mid-session.
What Humifortis Is NOT
- ❌ Not a replacement for Keycloak, Okta, Auth0, or Active Directory
- ❌ Not a SIEM — it does not store raw logs for compliance
- ❌ Not a WAF — it does not inspect HTTP traffic
- ✅ It is a risk intelligence layer on top of your existing IAM that makes authentication adaptive
Deployment Options
Self-Hosted (On-Premise)
Deploy on your own servers, private cloud, or Kubernetes. Docker Compose included. Your data never leaves your network.
- ✅ Full data sovereignty
- ✅ Air-gapped environments supported
- ✅ On-premise or private cloud
- ✅ Open-core — free to run
SaaS (Managed)
Fully managed. No infrastructure to maintain. Multi-tenant with strict isolation.
- ✅ Zero infrastructure overhead
- ✅ Automatic updates
- ✅ Usage-based pricing
- ✅ Enterprise SLA available
Compatible IAM Systems
| System | Integration | Status |
|---|---|---|
| Keycloak | Native JAR connector — inline enforcement | ✅ Production |
| Any REST system | Direct API event push | ✅ Available |
| Custom applications | REST API / webhooks | ✅ Available |
| Okta, Auth0 | Event push via API | 🔜 Connector coming |
| Active Directory | Agent-based | 🔜 Planned |