The HUMAN Security Apigee Edge Enforcer installation process has three steps:
JS-ConfigureAndInitialize.xml file inside the preflow-enforce Shared Flow Bundle.
The HUMAN Enforcer must be configured with a minimum of an application ID, authentication token, and cookie secret. The configuration can be found in the preflow-enforce Shared Flow Bundle, inside the JS-ConfigureAndInitialize.xml policy.
All configurations (other than custom functions) should be added as properties to this policy.
The HUMAN Enforcer Shared Flow Bundles uploaded in the previous section can now be invoked via the FlowCallout policy in any API Proxy or even in another Shared Flow. Follow the steps below to integrate the HUMAN enforcer using FlowCallout policies.
FC-PreflowEnforce, select the preflow-enforce shared flow from the drop down, and click Create.
postflow-enforce and postclientflow-enforce shared flows. The policies should be named FC-PostflowEnforce and FC-PostclientflowEnforce.FC-PreflowEnforce.xml
FC-PostflowEnforce.xml
FC-PostclientflowEnforce.xml
FC-PreflowEnforce policy and click Add.
FC-PostflowEnforce and FC-PostclientflowEnforce policies. These should be added to the Response PostFlow and Response PostClientFlow sections, respectively.
These FlowCallout policies should be the very first step in each of their sections. All other policies should come as steps after these policies are invoked.
Example Proxy Endpoint XML File
If you are adding these FlowCallout steps to a custom Shared Flow rather than an API Proxy directly, make sure that the Shared Flows are invoked in the proper sections (Request PreFlow, Response PostFlow, and Response PostClientFlow, as well.
As with any Shared Flow Bundle, it is possible to trigger the preflow-enforce and postflow-enforce bundles as flow hooks in your desired environment. Rather than create and invoke the FC-PreflowEnforce and FC-PostflowEnforce policies as described above, you can simply select the two Shared Flow Bundles as Pre-proxy and Post-proxy hooks, respectively.
However, since there is no flow hook for the PostClientFlow, the postclientflow-enforce Shared Flow Bundle must still be triggered on all applicable API Proxies via a FlowCallout policy (FC-PostclientflowEnforce) as described above.
By default, 4xx and 5xx responses from the target endpoint trigger Fault Rules. It’s important to ensure that the PostflowEnforce Flow Callout policy is still invoked in these cases. Failing to do so may affect the detection effectiveness and Credential Intelligence capabilities.
If you have any Fault Rules in your flow, the HUMAN PostflowEnforce Flow Callout policy must be called in all relevant Fault Rules. After every FaultRules section in your flow, add the HUMAN PostflowEnforce Flow Callout policy as a DefaultFaultRule:
Alternatively, these 4xx and 5xx codes may be added as success codes to the TargetEndpoint configuration to avoid triggering the Fault Rules entirely.