Skip to main content

Pomerium

Pomerium is an identity-aware access proxy and policy engine (identity and access management) that enforces Zero Trust access controls to internal web applications and services based on user identity and context.

  • Reverse proxy for identity-aware access to internal web apps and APIs (access proxy)
  • Policy-driven access control using context such as identity, group, device, and time (authorization / policy engine)
  • Integration with external identity providers via OpenID Connect (OIDC) and related protocols (federated identity)
  • Support for securing access across on-premises (on-prem), cloud, and hybrid environments without exposing applications directly to the internet (Zero Trust network access)
  • Configuration- and Policy as Code (PaC) workflows via declarative configuration files and infrastructure tooling (infrastructure as code)

More About Pomerium

Pomerium is an identity-aware access proxy (identity and access management) that applies Zero Trust principles to access internal web applications and services. It sits in front of HTTP-based resources and enforces authentication and authorization based on user identity, context, and centrally defined policies, instead of relying on network location or VPN-based perimeter controls.

The core capability of Pomerium is its reverse proxy layer (access proxy), which brokers requests between end users and upstream applications. When traffic flows through Pomerium, it authenticates users via external identity providers using protocols such as OIDC (federated identity), obtains identity and group information, and then evaluates that information against policy rules before forwarding or denying the request. This enables Single Sign-On (SSO) and consistent access policy enforcement across multiple internal services without modifying the applications themselves.

Pomerium includes a policy engine (authorization) that uses declarative rules to express who can access what under which conditions. Policies can reference user identity, group membership, request paths, Hypertext Transfer Protocol (HTTP) methods, and contextual attributes such as device or time where configured. This supports granular access control patterns such as Just-In-Time Access (JIT), least-privilege segmentation, and environment-specific authorization controls. Policies are typically managed as code and stored alongside infrastructure configuration.

From an architecture perspective, Pomerium is usually deployed as a set of services in Kubernetes, virtual machines, or other infrastructure platforms (cloud infrastructure). It terminates Transport Layer Security (TLS) (network security), interacts with identity providers, and forwards requests to upstream services using standard HTTP(S) and gRPC where applicable (application networking). Enterprises use it to front internal dashboards, admin panels, developer tools, and other web-based line-of-business systems that should not be exposed directly on the public internet.

Pomerium integrates with identity providers that support OIDC and related standards (federated authentication), which allows organizations to rely on existing user directories and multi-factor authentication flows. Its configuration model (configuration-as-code) makes it compatible with GitOps workflows, Continuous Integration and Continuous Deployment (CI/CD) pipelines, and Infrastructure-as-Code (IaC) tools where policies and routes are version-controlled and reviewed. In multi-environment or multi-tenant settings, teams can define separate routes and policies per environment while still using a shared control plane.

For directory and taxonomy purposes, Pomerium fits into categories including Zero Trust network access, identity-aware proxy, reverse proxy, and policy-based access control for web applications. It interacts closely with identity and access management systems, TLS certificate management, and application networking stacks, providing a centralized enforcement point for enterprise web access policy.