How to use Secret from IDN custom connector


I have been working with a custom connector in house for a little bit and one issue I’ve not been able to get past is using the client_secret when entered into the IDN source when the field type is password. When I go to use it within my code it comes out encrypted like below:

"clientSecret": "2_{\"KEY\":\"RandomString/RandomString/RandomString\",\"SECRET\":\"RandomStringOfCharaceters\"}",

Anyone know how to make it so I can use the secret within my API calls within my custom connector? I’m using Java with with OKHttp3 to make the request.


Sorry for the belated reply here. I can answer this for you.

When you make a custom connector, there are actually two parts to an encrypted field. One is doing exactly what you are doing, and making sure the form field sets encrypted values. This encrypts passwords when they are entered and the data gets stored as cipher-text.

You are seeing this cipher-text in the CCG file.

When these values go down to the Virtual Appliance, the CCG (what runs the connectors) needs to know what fields are encrypted (it doesn’t have access to the form), so it can decrypt the payload and send to the connector. All decryption happens in the VA. Since yours doesn’t have that configured, you just get a string with cipher-text.

In order to configure this, you just need to set an attribute in your connector’s attributes with a key called “encrypted” and then set the value to be a CSV list of all of the fields which are encrypted. The CCG will refer to this list and go an decrypt these encrypted fields.

Here are some examples if you were to look at this configured in a source via our v3 source APIs this looks something like this:

Workday Example:

        "id": "2c9180837568cea1017576896bf64cc2",
        "name": "Workday",
        "created": "2020-10-29T22:45:18.966Z",
        "modified": "2020-12-01T17:36:06.375Z",
        "description": "Workday",
        "type": "Workday",
        "connector": "workday",
        "connectorClass": "sailpoint.connector.OpenConnectorAdapter",
        "connectorAttributes": {
            "encrypted": "provisioningPassword,clientSecret,refreshToken",

Azure Active Directory Example:

        "id": "2c91808a7a5e9ce7017a5e9fe2e0002b",
        "name": "AAD",
        "created": "2021-06-30T20:32:54.496Z",
        "modified": "2021-06-30T20:32:58.752Z",
        "description": "AAD",
        "type": "Azure Active Directory",
        "connector": "azure-active-directory",
        "connectorClass": "sailpoint.connector.AzureADConnector",
        "connectorAttributes": {
            "encrypted": "clientSecret,IQServicePassword,clientCertificate,privateKeyPassword,private_key,refresh_token", 

That worked perfectly, and such a simple solution to the problem. It makes perfect sense, thank you Neil!