November 5, 2020 - Patrick Kerwood

Pomerium, Single Sign-on with OpenID Connect

This tutorial is a how-to on setting up a Single Sign-on/OpenID Connect proxy with Pomerium, in front of your application using Docker Compose and Traefik.

OpenID Connect is a great way of utilizing Single Sign-on to avoid managing local user accounts on your web application and/or enhancing security. I've used Keycloak Gatekeeper (opens new window) before to achieve the same goal, but have stumbled upon Pomerium which solves the same challange but without having to maintain a Keycloak instance. That's what makes Pomerium a bit simpler and easier to maintain.

Even though the use case here for Pomerium is really simple, you can actually split it up in different services for high availability. Or instead for proxying traffic through Pomerium you can have the authentication service split out, like in the example below.

The different service modes are.

  • All (The all-in-one mode which I am using in this tutorial)
  • Authenticate
  • Authorize
  • Cache
  • Proxy (opens new window)

# Docker Compose

As usual I have included the necessary Traefik configuration to set it up with my standard Traefik setup. (opens new window)

In this setup I use Traefik, as I always do, as "front" proxy taking care of certificates, routing, etc. The traffic to will be routed through Pomerium and on to the hello world application. If you are not authenticated, Pomerium will redirect you to the identity provider, which will redirect you back efter you have logged in.

You need to choose an identity provider. Pomerium has some great documentation on how to setup your provider, (opens new window). In this example I use Google.

In below Docker Compose file we need to change a couple of things.

  • Create a secret for the COOKIE_SECRET variable. Use head -c32 /dev/urandom | base64 to generate it.
  • Replace the IDP_* variables with the provider you chose.
  • Change the AUTHENTICATE_SERVICE_URL to your public application URL. (All-in-one mode)
  • Change the Traefik label ..Host('') to your public application URL.

The only thing left is to define the routes. There are two ways you can configure Pomerium, using a config file or using environment variables. Personally I like to keep my configuration in my compose file. That makes it much easier moving and re-use the same compose/configuration file.

The thing with the routes is that it's multiline, but luckily the developers has made it possible to base64 encode it and provide it in an environment variable, which is what we will do here.

Below is a simple example of a Pomerium Route. It forwards traffic from to the docker container hello-world on port 3000. You can find more route examples on their documentation site. (opens new window)

- from:
  to: http://hello-world:3000
    - allow:
          - email:
          - domain:

Save the route as routes.yml, base64 encode it and save the output to the ROUTES variable in the compose file.

base64 -w 0 routes.yml

Here's the example Docker Compose file.



version: "3.8"

    external: true

    image: pomerium/pomerium:latest
    container_name: pomerium
    restart: unless-stopped
      INSECURE_SERVER: "true"
      ADDRESS: :80
      COOKIE_SECRET: cookie-secret-here
      IDP_PROVIDER: google
      IDP_CLIENT_SECRET: xxxxxxxxxxxxxxxxxxx
      ROUTES: LSBmcm9tOiBodHRwczovL2hlbGxvLmV4YW1wbGUub3JnCiAgdG86IGh0dHA6Ly9oZWxsby13b3JsZDozMDAwCiAgYWxsb3dlZF91c2VyczoKICAgIC0gdXNlQGV4YW1wbGUub3JnCg==
      - traefik-proxy
      - pomerium
      - traefik.enable=true
      - traefik.http.routers.pomerium.rule=Host(``)
      - traefik.http.routers.pomerium.tls.certresolver=le
      - traefik.http.routers.pomerium.entrypoints=websecure

    image: kerwood/hello-world
    container_name: hello-world
    restart: unless-stopped
      - 3000
      - pomerium

# References (opens new window)

Found a bug? Help me improve this page!
Last Commit: