You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
A free Cloudflare Argo (Zero Trust) Tunnel can be configured to tunnel traffic into your network. The benefit of this approach is that the authentication & traffic filtering happens on Cloudflare's edge, instead of in your own secure network. Only authenticated traffic will pass through into your infrastructure.
However, Cloudflare Zero Trust is not an ideal solution for managing access policies to a variety of distinct applications - therefore it would make sense for Cloudflare to authenticate the user, and forward all traffic to Pomerium to determine which application to route to and if the user has access. In this setup, it will require the users to login to IdP twice. Once at Cloudflare's edge to get into internal infrastructure, and then again at Pomerium to access various applications.
Describe the solution you'd like
If the Cloudflare tunnel terminates at a Pomerium server, it will pass the Cf-Access-Jwt-Assertion which is a JWT containing the email of the authenticated user.
It would be ideal if Pomerium could handle this header, validate the JWT is authentic, and consider that the user has already authenticated with the IdP, rather than requiring the user to log-in to the IdP twice. If the header is not present, then the traffic is likely local (not through the cf tunnel) and Pomerium should still force users to log-in to the IdP.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
A free Cloudflare Argo (Zero Trust) Tunnel can be configured to tunnel traffic into your network. The benefit of this approach is that the authentication & traffic filtering happens on Cloudflare's edge, instead of in your own secure network. Only authenticated traffic will pass through into your infrastructure.
However, Cloudflare Zero Trust is not an ideal solution for managing access policies to a variety of distinct applications - therefore it would make sense for Cloudflare to authenticate the user, and forward all traffic to Pomerium to determine which application to route to and if the user has access. In this setup, it will require the users to login to IdP twice. Once at Cloudflare's edge to get into internal infrastructure, and then again at Pomerium to access various applications.
Describe the solution you'd like
If the Cloudflare tunnel terminates at a Pomerium server, it will pass the
Cf-Access-Jwt-Assertion
which is a JWT containing the email of the authenticated user.It would be ideal if Pomerium could handle this header, validate the JWT is authentic, and consider that the user has already authenticated with the IdP, rather than requiring the user to log-in to the IdP twice. If the header is not present, then the traffic is likely local (not through the cf tunnel) and Pomerium should still force users to log-in to the IdP.
The text was updated successfully, but these errors were encountered: