I’m using Azure AD as my identity provider. I followed Azure AD | Pomerium and am able to login and view authenticate.example.com/.pomerium. However, when I configure a route with
allowed_domains, I get 403 Forbidden (the Pomerium page, not my app’s) when accessing that route (after successfully logging in).
I would like to support logins from multiple Azure AD, so enabled multitenant on my registered application. I’ve configured my route with
allowed_domains containing the email domain of my Azure user, my Azure AD tenant ID, and an alternate domain (xxx.onmicrosoft.com). All of these are met with 403 Forbidden as above.
A route configured with
allow_any_authenticated_user: true works OK.
Access to be allowed.
- Pomerium version 0.17.3
- Linux, kubernetes, helm chart 31.1.7
idp_provider: azure # other idp config provided via env vars routes: - from: https://app.example.com prefix: /debug/httpbin prefix_rewrite: / to: http://httpbin.httpbin allow_any_authenticated_user: true pass_identity_headers: true - from: https://app.example.com to: http://app allowed_domains: ["example.com", "< Azure AD tenant UUID >", "xxx.onmicrosoft.com"] pass_identity_headers: true - from: https://authenticate.example.com to: https://pomerium-authenticate.default.svc.cluster.local allow_public_unauthenticated_access: true
The logs from pomerium-authorize contain:
Summary: everything works when I configure
allow_any_authenticated_user: true. But I’m not sure what to put in
allowed_domains to restrict to certain Azure AD domains (tenants?). I turned on debug-level logging, but I don’t see anything that suggests what the current domain of my logged-in user actually is.