Hashing enables the security of the data transmission and is used to verify the integrity of secure messages. If attributes are used in plain text in authorization policy, there is possibility of data privacy violation. It is always a good idea to use hash so that no identifiable data gets revealed duing transmission via logs or in any other way.
In this example we will calculate SHA256 hash from SSO session ID and user's email address to produce a verifiable correlating identifier with reasonable privacy properties using expression language API.
...
Program to verify :
You can use below provided powershell program to verify the values of SHA with different formatting :
It could be helpful to backtrack entries from logs to plain text data in case fo troubleshooting.
| Code Block |
|---|
$id = "_e1e08e0a0004c455f88531a9a2660830926effb7" $email = "testuser@ubidemo.com" $buf = [System.IO.MemoryStream]::new() $w = [System.IO.BinaryWriter]::new($buf) $w.Write([System.Text.Encoding]::UTF8.GetBytes($id)) $w.Write([byte]0) $w.Write([System.Text.Encoding]::UTF8.GetBytes($email)) $w.Flush() $sha256 = [System.Security.Cryptography.SHA256]::Create() $digest = $sha256.ComputeHash($buf.ToArray()) Write-Output ([System.Convert]::ToBase64String($digest)) $t = $digest [array]::Resize([ref]$t, 16) Write-Output ([guid]::new($t).ToString()) |
...