Storing sensitive data in workflows

narendra_kadali · March 25, 2024, 2:45pm

Hello All,

We are implementing workflows in SailPoint IdentityNow. One of the workflow action is to make an external API call, and as part of the authentication process, we need to pass two custom headers (API key and API token).

Due to this, we are using custom authentication and configured API key as header (as part of authentication) and configured API token as part of the request headers section. Anything mentioned under the request headers section is stored in plain text. Can we store it as secret or sensitive data?

I also explored defining it as a variable, but I don’t see any way to mark the data in the variable as sensitive data.

Have you faced a similar scenario before and found a solution to this problem? Please let me know your thoughts.

Thanks!

Sachin_Rajathadri · March 25, 2024, 8:03pm

Hi @narendra_kadali,

Welcome to the developer community.

I found this link online

Hope this helps!

mcorsillo_bose · March 26, 2024, 7:52pm

The preview for this link is misleading.

The credentials stored in the HTTP Request are not output in logs or the like. It’s unclear whether they’re encrypted, but per @colin_mckibben’s response in that thread, The HTTP Request action received a major update a few months back that introduced secrets management. Therefore, the issue referenced in that post is no longer valid. HTTP Request can now secure credentials from being output in scripts and logs.

colin_mckibben · March 26, 2024, 8:54pm

Welcome to the Developer Community Narendra!

The only way to encrypt data in workflows, at this time, is to use the authentication dropdown in the HTTP Request action. It looks like the custom authorization option only allows one encrypted header. You would put the most sensitive data in this header, and then put any other headers needed for authentication in the plain text headers section. In your example, I think you have this setup as best as you can given the current features of workflows. Your API token is probably more sensitive than the key, so you store it in the custom authorization header.

Then, you put your API key as a plain text header

I agree, however, that workflows needs to allow for encrypting more types of data. I have opened a ticket for this enhancement request. (PLTWRKFLW-4181)

Topic		Replies	Views
There currently is no mechanism to secure data in an HTTP request. If you put sensitive information in the headers, like secrets and tokens, it will be output to the logs ISC Discussion and Questions workflows , apis , identity-security-cloud	7	468	July 19, 2023
OAuth2 HTTP Request in Workflow ISC Discussion and Questions workflows	4	615	July 19, 2023
IdentityNow (IDN) Sensitive Source Headers - API ISC Discussion and Questions	7	1713	July 19, 2023
Workflows: Use HTTP Request to authenticate to OAuth endpoint ISC Discussion and Questions workflows , identity-security-cloud	11	903	July 19, 2023
IDN Workflow Http request Custom Authorization - Header Value as variable ISC Discussion and Questions apis , identity-security-cloud	3	167	March 18, 2024

Storing sensitive data in workflows

Related Topics