We also have a discussion going on this topic on Pomerium’s (the identity-aware proxy in question) forum.