As I was configuring Pomerium route and policy according to my own requirements, it got me thinking whether my approach makes sense.
We use SAML sso to login into Google Workspace, and into our own product. However our SSO is exposed to public internet. I want to enable a technical solution to restrict opening our SSO page only to approved devices (I will setup the required inventory systems separately), so I need to configure device verification in Pomerium. Sounds like IAP is a suitable choice for this.
While configuring, I realised that Pomerium needs to integrate with identity provider. So I cannot restrict access to our SSO without people identifying into said SSO. (And on top of that Pomerium does not integrate with SAML).
Even if I used Google as or IdP, login into Google is performed via our SAML SSO which I want to protect from non-employees.
tl;dr: IAP must verify device ID before allowing user to access SSO page.
So is my approach wrong then?