- 10 Jul 2024
- Print
- DarkLight
Integrate Credential Intelligence with Auth0 on the Fastly Enforcer
- Updated on 10 Jul 2024
- Print
- DarkLight
If your organization uses HUMAN's Fastly Enforcer to dictate how traffic should be handled as well as Auth0 to authenticate users, then you can integrate Credential Intelligence with Auth0 on the Fastly Enforcer so HUMAN can continue to monitor authenticated activity. You can learn how to complete this setup in this article.
Prerequisites
- Your Auth0 API key.
- Your HUMAN Application ID. You can find this under Platform Settings > Applications > Overview in the HUMAN console.
Setup
To complete the integration, you must finish the following:
- Configure Fastly as a reverse proxy
- Install the Fastly Enforcer
- Add the Enforcer to Auth0's login page
Configure Fastly as a reverse proxy
To start, you must configure Fastly as a reverse proxy for your Auth0 tenant. This is achieved by using custom domains.
- Follow Auth0's help article, Configure Custom Domains with Auth0-Managed Certificates, and save the following information for later on in the process:
- The Origin Domain Name
- The cname-api-key value
- Follow Fastly's instructions in the section Creating a new CDN Service in their help article. While completing these steps, update the following fields accordingly:
- While entering the Host field, use the Origin Domain Name from Step 1.
- Enable the Override default host setting.
- Activate your Fastly CDN service.
- Select the service you just created.
- Create two unique Fastly Snippets with the following configurations. You can learn how to create a Fastly Snippet with their help article.
- Create the first Snippet to enable the true-client-ip header with the following fields:
- Type: Select Within subroutines > recv (vcl_recv)
- VCL: Enter
set req.http.True-Client-IP = client.ip;
- Advanced Option > Priority: 90
- Create the second Snippet with the cname-api-key HTTP header with the following fields (using the cname-api-key value from Step 1):
- Type: Select Within subroutines > pass (vcl_pass)
- VCL: Enter
set bereq.http.cname-api-key = "<CNAME_API_KEY_VALUE>";
- Advanced Option > Priority: 100
- Create the first Snippet to enable the true-client-ip header with the following fields:
- Save and activate the service.
- Test that the service is working in your Auth0 account by navigating to Branding > Custom Domains and selecting Test.
It may take some time for the service fully propagates across your network. If the test fails, then wait a few minutes and try again.
Install the Fastly Enforcer
Next, you need to install and set up the Fastly Enforcer.
If you have already installed the Fastly Enforcer, then you can edit the existing px_configs
file with the listed configurations instead.
- Complete the steps in our Fastly Enforcer installation article.
- Before uploading your files to your Fastly account, add the following configurations and values to the
px_configs
file:px_login_credentials_extraction_enabled
:true
px_login_successful_reporting_method
:status
px_login_successful_status
:302
- Depending on if your Auth0 login is single-step or multi-step, you will need to additionally include different sets of configurations. If you're not sure which one your organization uses or if your organization wants to change the number of steps in the future, you can update both sets of configurations.
- If your login is single-step:
method_0: post
pass_field_0: password
user_field_0: username
path_0: /u/login
sent_through_0: body
- If your login is multi-step:
method_1: post
pass_field_1: password
user_field_1: username
path_1: /u/login/password
sent_through_1: body
- If your login is single-step:
- Save the file and continue on to upload all the necessary files to your Fastly account.
Your Enforcer has been installed with the necessary configuration to work with Auth0. You can validate the Enforcer was integrated correctly by following the steps in our help article.
Add the Enforcer to Auth0's login page
Now that your Enforcer is properly configured, you need to update your organization's Auth0 login page with the Enforcer. To do so, make the following API call to Auth0. Make sure you update <APP_ID>
with your HUMAN Application ID.
curl --request PUT \
--URL 'https://<YOUR _DOMAIN>/api/v2/branding/templates/universal-login' \
--header 'authorization: Bearer <YOUR_AUTH0_KEY> \
--header 'content-type: text/html' \
# update <APP_ID> with your Application ID
--data '<!DOCTYPE html><html><script type="text/javascript">(function(){ var s = document.createElement("script"); var p = document.getElementsByTagName("script")[0]; s.src = "/<APP_ID>/init.js"; p.parentNode.insertBefore(s,p);}());</script><head>{%- auth0:head -%}</head><body>{%- auth0:widget -%}</body></html>'
After a successful response, navigate to your Auth0 login page. Depending on your customizations, you may need to update your CSS or other settings to maintain your organization's design.
You have successfully set up Credential Intelligence to monitor traffic on your Auth0-managed login page with the Fastly Enforcer.