Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

How to Mask Password in REST Connector JSON by defining Custom Attribute

timchengappa
Saviynt Employee
Saviynt Employee

‎03/19/2023 09:32 AM - edited ‎04/02/2024 01:58 AM

Use Case

Provisioning AD User Mailboxes in Microsoft Exchange Server using an OOTB REST connector and securely storing the password used in PowerShell script using a custom attribute. 

If the system integrators(SI) choose to go with the OOTB winconnector, the connector has an attribute called 'PSSCRIPT_PASSWORD' which will allow you to securely encrypt the password required to be passed in the PowerShell script which can then be referenced within the PowerShell script as '${PSSCRIPT_PASSWORD}' either in the createAccountJSON or updateAccountJSON or where ever you are passing the PowerShell script in the JSON. 

This article provides you clarity on how you can achieve the same using the REST connector as opposed to passing the password that is required in the PowerShell script in plaintext.

 

Pre-requisites

For this specific use case, a Windows Server must be configured and PowerShell script must be tested successfully directly from the Windows Server itself. Please see Understanding the Integration between EIC and Windows Server for more details.
 
Custom Attributes can be defined in REST connector outside of this use-case where a Windows Server is not required as well.

Screen Shot 2023-03-17 at 2.29.51 PM.png

 

Applicable Version(s)

All

Solution

The REST connector does not have an attribute called 'PSSCRIPT_PASSWORD' as in the WinConnector. Alternatively, to add to our REST connector's versatility, it provides you with an option to define a custom attribute in the connection params section, and assign the password to it. This variable can then be referred to in the PowerShell Script of createAccountJSON, UpdateAccountJSON, etc instead of providing the password in plaintext. Since the value in the ConnectionParams is always masked, the PowerShell script's password is also masked. Sample below...

Defining custom attribute(PS_Password) in the Connection JSON.

{
"authentications": {
"acctAuth": {
"authType": "Basic",
"url": "<URL>",
"httpMethod": "POST",
"httpParams": {},
"httpHeaders": {},
"httpContentType": "text/html",
"properties": {
"userName": "<<USERNAME>>/token",
"password": "<<PASSWORD>>"
},
"expiryError": "ExpiredAuthenticationToken",
"authError": [
"InvalidAuthenticationToken",
"AuthenticationFailed"
],
"timeOutError": "Read timed out",
"PS_Password": "<password>",
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"tokenType": "Basic",
"accessToken": "Basic <<TOKEN>>",
"apiRateLimitConfig": {
"retryAfterCalls": 100,
"retryWaitSeconds": 60
}
}
}
}

 
In the above JSON, a custom attribute named 'PS_Password' has been defined that can have the credentials. This custom attribute from the connectionJSON can now be referenced in any of the provisioning JSONs using the connection object as  ${connection.PS_Password}

Example:
"accountIdPath": "accountName",
"responseColsToPropsMap": {},
"call": [{
"name": "call1",
"connection": "userAuth",
"url": "https://hostname.com/SaviyntApp/PS/ExecutePSScript",
"httpMethod": "POST",
"httpParams": "{\"Script\":\"\\$sAMAccName = '${user.username}';\\$pass = convertto-securestring -AsPlainText -Force -String '${connection.PS_Password}';\\$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist 'dev\\\\\\\\svc_sampletext_dev',\\$pass;invoke-command -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.xxxxx.xxxx.xx/powershell' -Credential \\$mycred -Authentication Basic -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck) -scriptblock {Enable-Mailbox -Identity \\$Using:sAMAccName -Database 'testDB'}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"SuccessResponses": {
"": [
"Success"
]
},
"unsuccessResponses": {
"responseMessage": [
"\"Failed\"",
"\"Powershell script taking too long Sample input: Invoke-Command -ComputerName \\\"COMPNAME\\\" -ScriptBlock {command to execute} -Credential $Cred\""
]
}
}]
}

References

https://docs.saviyntcloud.com/bundle/MSExchange-v2020x/page/Content/Understanding-the-Integration-to...

https://docs.saviyntcloud.com/bundle/WinPS-v2020x/page/Content/Understanding_the_Integration-between...

0 Kudos
Comments
naveenss
All-Star
All-Star
‎04/10/2024 12:41 AM

Hi @timchengappa  does this also work for REST Import JSONs? We are currently on v24.3 and I have an application for which I must store the sensitive information in the connection JSON and refer it in the ImportAccount JSON. However its not working. 

If I hardcode the value, the import is working fine. 

 

Dhruv_S
Saviynt Employee
Saviynt Employee
‎04/12/2024 05:50 AM

Hi @naveenss 

Could you please share the importaccountJSON and also can you please check if it is giving any error in the logs. If yes-please share the error message.

Regards,

Dhruv Sharma

naveenss
All-Star
All-Star
‎04/12/2024 06:54 AM

Hi @Dhruv_S  thanks for checking. I opened another forum post for this. The connection binding variable wasn't working inside the "ssl" parameter in the ImportAcctEntJSON. Hence, I took different route. The complete solution is added below

https://forums.saviynt.com/t5/identity-governance/rest-connector-unable-to-use-connection-binding-ob...

 

Version history
Last update:
‎04/02/2024 01:58 AM
Updated by:
Saviynt Employee
Copyright © 2024 Khoros, LLC