Concept: allow anyone to my SSO for user ID after verifying device

As I was configuring Pomerium route and policy according to my own requirements, it got me thinking whether my approach makes sense.

We use SAML sso to login into Google Workspace, and into our own product. However our SSO is exposed to public internet. I want to enable a technical solution to restrict opening our SSO page only to approved devices (I will setup the required inventory systems separately), so I need to configure device verification in Pomerium. Sounds like IAP is a suitable choice for this.

While configuring, I realised that Pomerium needs to integrate with identity provider. So I cannot restrict access to our SSO without people identifying into said SSO. (And on top of that Pomerium does not integrate with SAML).

Even if I used Google as or IdP, login into Google is performed via our SAML SSO which I want to protect from non-employees.

tl;dr: IAP must verify device ID before allowing user to access SSO page.

So is my approach wrong then?

tl;dr: IAP must verify device ID before allowing user to access SSO page.

Please see the request lifecycle section in the Pomerium docs.

The authorization decision happens after you completed all sign-ins.
Currently you cannot really bypass interacting with IdP.

That said, Google Workspace is a supported IdP. It is true you cannot interact with Pomerium with SAML though.

Some ideas:

  • Set your google workspace as an IdP for Pomerium
  • make a route and put your app behind Pomerium, including its sign-in page
  • put a policy on that route that only authenticated users FROM YOUR DOMAIN may pass, and also require device identity