# Identity Provider Configuration

Pomerium provides single-sign-on authentication and user identity details by integrating with your downstream Identity Provider (IdP) of choice. That authentication integration is achieved using OAuth2, and OpenID Connect (opens new window) (OIDC). Where available, Pomerium also supports pulling additional data (like groups) using directory synchronization. An additional API token is required for directory sync.

The steps for integrating Pomerium with an IdP are specific to each provider, but they generally share the same base requirements:

  • A Redirect URL (opens new window) pointing back to Pomerium. For example, https://${authenticate_service_url}/oauth2/callback.
  • A Client ID and Client Secret.
  • An optional Service Account for additional IdP Data. This enables Pomerium administrators to write policies around groups.
    • Depending on the IdP, a service account may have its own client id and secret, or require an API token. Pomerium handles this by accepting values for idp_service_account as a base64-encoded json object with the correct key/value pairs for each IdP supported.

The subsequent pages in this section provide specific instructions for the IdPs Pomerium supports.

Last Updated: 8/20/2021, 4:20:29 PM

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. Pomerium is a registered trademark.