mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 19:36:32 +02:00

History

Cuong Manh Le c910196364 docs/docs: update upgrading to mention redis storage backend (#1172 ) Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>		2020-08-01 11:20:07 -07:00
..
community	Merge remote-tracking branch 'origin/master' into feature/envoy	2020-05-18 17:10:10 -04:00
identity-providers	docs: document service account requirements (#999 )	2020-06-25 19:32:36 -04:00
quick-start	docs: refactor sections, consolidate examples (#1164 )	2020-07-30 11:02:14 -07:00
topics	docs: rename docs/reference to docs/topics (#1182 )	2020-08-01 10:00:14 -07:00
background.md	docs: update background (#505 )	2020-02-15 12:17:10 -08:00
CHANGELOG.md	internal/controlplane: using envoy strip host port matching (#1126 )	2020-07-22 23:51:57 +07:00
FAQ.md	docs: add faq / troubleshooting guide (#361 )	2019-10-10 11:03:00 -07:00
readme.md	Fix small typo (#836 )	2020-06-07 07:46:47 -04:00
releases.md	deployment: prepare 0.9.0 (#798 )	2020-05-30 18:07:57 -07:00
upgrading.md	docs/docs: update upgrading to mention redis storage backend (#1172 )	2020-08-01 11:20:07 -07:00

readme.md

title

lang

sidebarDepth

Overview

What is Pomerium?

Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked-in. Pomerium gateways both internal and external requests, and can be used in situations where you'd typically reach for a VPN.

Pomerium can be used to:

provide a single-sign-on gateway to internal applications.
enforce dynamic access policy based on context, identity, and device state.
aggregate access logs and telemetry data.
a VPN alternative.

Architecture

System Level

Pomerium sits between end users and services which require strong authentication. After verifying identity with your identity provider (IdP), Pomerium uses a configurable policy to decide how to route your user's request and if they are authorized to the service.

Component Level

Pomerium is composed of 3 logical components:

Proxy Service
- All user traffic flows through the proxy
- Initiates authentication flow to Authentication service as needed
- Verifies all requests with Authentication service
- Processes policy to determine external/internal route mappings
Authentication Service
- Handles authentication flow to your IdP as needed
- Handles identity verification after initial Authentication
Authorization Service
- Processes policy to determine permissions for each service
- Handles authorization check for all user sessions

In production deployments, it is recommended that you deploy each component separately. This allows you to limit external attack surface, as well as scale and manage the services independently.

In test deployments, all three components may run from a single binary and configuration.

Authentication Flow

Pomerium's internal and external component interactions during full authentication from a fresh user are diagramed below.

After initial authentication to provide a session token, only the authorization interactions occur.

In action

To make this a bit more concrete, see the following short video which demonstrates:

An unauthorized user authenticating with their corporate single-sign-on provider (in this case Google)
The unauthorized user being blocked from a protected resource.
The unauthorized user signing out from their session.
An authorized user authenticating with their corporate single-sign-on provider.
Pomerium delegating and granting access to the requested resource.
The authorized user inspecting their user details including group membership.