Issue Description
We have deployed Pomerium and up to now everything works great!
There is one configuration we are currently struggling with, which is displayed below
Additional Information:
- We have IngresOne: ingressOne.somedomain.com
- We have IngresTwo: ingresTwo.somedomain.com
- We have a Backend service that:
- Is configured to use Google SSO
- After authenticating via SSO it redirects users to IngressOne
- We have a Pomerium deployment that:
- Is configured to use Google SSO
- We have a Pomerium IngressTwo that acts as a proxy for IngressONe
Architectural Diagram
Before Pomerium
+-------------+ +---------+
| Ingress One |=---> | Backend | # Ingress One is not publicly accessible
+-------------+ +----+----+
|
|
| # Before Pomerium
+------------+ |
| Google IdP |--------+
+------------+
After Pomerium
+------------+
| Google IdP |--------+
+------------+ |
|
| # After Pomerium
|
+-------------+ +----+-----+ +-------------+ +---------+
| Ingress Two |=---> | Pomerium |=---> | Ingress One |=---> | Backend |
+-------------+ +----------+ +-------------+ +---------+
- Pomerium successfully redirects the user to the Backend, that is
IngressTwo -> IngressOne - The backend does not understand the identity header that we pass via Pomerium
- After Pomerium authorizes the user, the user can login using the backends sign-in button.
- Doing so, will redirect the user to IngressOne which is not publicly accessible
Redirect Information
GET .../auth?client_id=redacted.apps.googleusercontent.com&...&redirect_uri=<<IngresOne>>...
Pomerium Annotations
cert-manager.io/issuer: letsencrypt-prod
ingress.pomerium.io/pass_identity_headers: "true"
ingress.pomerium.io/policy: '[{"allow":{...}}]'
ingress.pomerium.io/secure_upstream: "true"
Cookies Info
Pomerium
_pomerium=<redacted>; csrf_token_<redacted>; ory_kratos_continuity=<redacted>
Backend
csrf_token_<redacted> ory_kratos_continuity=<redacted>; ory_kratos_session=<redacted>; m…lbn<redacted>
What’s your environment like?
- Pomerium version (retrieve with
pomerium --version): 0.17.3 - Server Operating System/Architecture/Cloud: EKS(1.21.12)
Helm Configuration
authenticate:
ingress:
annotations:
cert-manager.io/issuer: "${letsEncryptIssuer}"
tls:
secretName: authenticate.${clusterName}.aws.metrika.co-tls
existingTLSSecret: pomerium-tls
idp:
provider: "${provider}"
clientID: "${clientID}"
clientSecret: "${clientSecret}"
serviceAccount: "${serviceAccount}"
proxied: false
proxy:
existingTLSSecret: pomerium-tls
databroker:
existingTLSSecret: pomerium-tls
storage:
connectionString: rediss://pomerium-redis-master.pomerium.svc.cluster.local
type: redis
clientTLS:
existingSecretName: pomerium-tls
existingCASecretKey: ca.crt
authorize:
existingTLSSecret: pomerium-tls
redis:
enabled: true
auth:
enabled: false
usePassword: false
generateTLS: false
tls:
certificateSecret: pomerium-redis-tls
ingressController:
enabled: ${ingressController}
ingress:
enabled: false
config:
sharedSecret: "${sharedSecret}"
cookieSecret: "${cookieSecret}"
rootDomain: ${clusterName}.${domain}
existingCASecret: pomerium-tls
signingKey: "${signingKey}"
generateTLS: false
generateSigningKey: false
Backend Ingress Configuration
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/issuer: letsencrypt-prod
ingress.pomerium.io/pass_identity_headers: "true"
ingress.pomerium.io/policy: '[{"allow":{"or":[...]}}]'
ingress.pomerium.io/secure_upstream: "true"
name: sso-backend-0
namespace: pomerium
spec:
ingressClassName: pomerium
rules:
- host: <redacted>
http:
paths:
- backend:
service:
name: backend-0
port:
number: 443
pathType: ImplementationSpecific
tls:
- hosts:
- <redacted>
secretName: backend-0-pomerium.tls
What did you expect to happen?
We did not expect but we wish to find a solution for this. We understand that it is not a pomerium limitation.
Question
- We have an a application that authenticates with google sso. Can we use Pomerium in front of that application
