QUESTION
Can WAF be used to protect a web application that requires a user to authenticate with a 3rd party identity provider before accessing any of the resources?
Motivation for asking the question
I would like my custom application to be protected by a firewall so that I can create rules that will protect my application from nefarious requests. When I read about WAF it sounded like the right solution. I became concerned when I read that WAF must be used in conjunction with AWS CloudFront and CloudFront can only cache publicly accessible content. I began to wonder if CloudFront's limitation to cache private content would prevent my WAF rules from being applied to requests destined for private content.
Background Information
I have created a custom web application that is hosted on an AWS EC2 instance. The web application contains dynamic content and supports HTTP GET/OPTIONS/POST/PUT/DELETE verbs. The custom web application requires every user to authenticate with an identity provider. If an unauthenticated user tries to access a resource their browser will redirect to a publicly accessible sign in page hosted by the web application. From the sign in page the user may choose an identity provider. Once the identity provider has been chosen the user's browser will be redirected to the identity provider's login dialog where they will be prompted to enter their credentials. Once authenticated they will be redirected back to the requested resource within the web application.
