Authorization Policy Example : SHA256 hash from SSO session ID and user's email address

Hashing enables the security of the data transmission and is used to verify the integrity of secure messages. If attributes are used in plain text in authorization policy, there is possibility of data privacy violation. It is always a good idea to use hash so that no identifiable data gets revealed duing transmission via logs or in any other way.

In this example we will calculate SHA256 hash from SSO session ID and user's email address to produce a verifiable correlating identifier with reasonable privacy properties using expression language API.

For more details about expression language API, please refer documentation in our portal here : https://ubisecuredev.atlassian.net/l/c/yNGzPCg0

In this case, sso.id is Session ID and method.email is user’s email address

  • Expressions to get session ID and email address :

Session ID : ${attribute.name("sso.id").values(sso.id)} Result : _e1e08e0a0004c455f88531a9a2660830926effb7 email Address : ${attribute.name("method.email").values(method.email)} Result : testuser@ubidemo.com
  • Expression to get sha256 with base64 formatting :

${attribute.name("sha256").values(sha256.text(sso.id).zero().text(method.email))} Result : Ityonry8LFdTE4hBMWv0OUTksynqvl/FUJZoL3vK3Wk=
  • Expression to get sha256 with guid formatting :

${attribute.name("guid").values(sha256.text(sso.id).zero().text(method.email).guid)} Result : 9ea8dc22-bcbc-572c-5313-8841316bf439
  • SSO Management Console :

  • Program to verify :
    You can use below provided powershell program to verify the values of SHA with different formatting :
    It could be helpful to backtrack entries from logs to plain text data in case fo troubleshooting.

  • How to Run :
    1. Save the program as script.ps1 in your windows machine.
    2. Open Windows Powershell and run the program using command

  • Result of program :