--- title: Pomerium Enterprise lang: en-US sidebarDepth: 0 meta: - name: keywords content: >- pomerium overview identity-access-proxy beyondcorp zero-trust reverse-proxy ztn zero-trust-networks console enterprise scale --- # What is Pomerium ## Overview? Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked-in. Pomerium gateways both internal and external requests, and can be used in situations where you'd typically reach for a VPN. Pomerium can be used to: - provide a **single-sign-on gateway** to internal applications. - enforce **dynamic access policy** based on **context**, **identity**, and **device state**. - aggregate access logs and telemetry data. - perform delegated user authorization for service-based authorization systems: - [Istio](/guides/istio.md) - [Google Cloud](/guides/cloud-run.md) - provide unified identity attestation for upstream services: - [Kubernetes](/guides/kubernetes.md) - [Grafana](/guides/istio.md#pomerium-configuration) - [Custom applications](/docs/topics/getting-users-identity.md) - provide a **VPN alternative**. ## Demo To make this a bit more concrete, click the image thumbnail to see a short youtube demo: [![demo](https://img.youtube.com/vi/ddmrkvBSO60/0.jpg)](https://www.youtube.com/watch?v=ddmrkvBSO60 "Pomerium demo") The above video shows the flow for both an unauthorized and authorized user. 1. An **unauthorized** user authenticates with their corporate single-sign-on provider. 2. The **unauthorized** user is blocked from a protected resource. 3. The **unauthorized** user signs out from their session. 4. An **authorized** user authenticates with their corporate single-sign-on provider. 5. Pomerium delegates and grants access to the requested resource. 6. The **authorized** user inspects their user details including group membership.