We are implementing workflows in SailPoint IdentityNow. One of the workflow action is to make an external API call, and as part of the authentication process, we need to pass two custom headers (API key and API token).
Due to this, we are using custom authentication and configured API key as header (as part of authentication) and configured API token as part of the request headers section. Anything mentioned under the request headers section is stored in plain text. Can we store it as secret or sensitive data?
I also explored defining it as a variable, but I don’t see any way to mark the data in the variable as sensitive data.
Have you faced a similar scenario before and found a solution to this problem? Please let me know your thoughts.
The credentials stored in the HTTP Request are not output in logs or the like. It’s unclear whether they’re encrypted, but per @colin_mckibben’s response in that thread, The HTTP Request action received a major update a few months back that introduced secrets management. Therefore, the issue referenced in that post is no longer valid. HTTP Request can now secure credentials from being output in scripts and logs.
The only way to encrypt data in workflows, at this time, is to use the authentication dropdown in the HTTP Request action. It looks like the custom authorization option only allows one encrypted header. You would put the most sensitive data in this header, and then put any other headers needed for authentication in the plain text headers section. In your example, I think you have this setup as best as you can given the current features of workflows. Your API token is probably more sensitive than the key, so you store it in the custom authorization header.
Then, you put your API key as a plain text header
I agree, however, that workflows needs to allow for encrypting more types of data. I have opened a ticket for this enhancement request. (PLTWRKFLW-4181)