Do you need to maintain both ingresses?
Can you just keep one ingress that is publicly accessible and modify the redirect url of your backend application to use it?
The users would still need to click (sign in) button of your application if it cannot be modified to consult the Pomerium assertion JWT, but as original Google cookies are not stripped, they would likely not need to enter their password again.
