Protect sensitive data, such as social security numbers, through obfuscation

Sensitive identity data, such as social security numbers, must be managed with respect for personal integrity and in compliance with national regulations. Such data should never be stored in plain text.

This document outlines how to create, edit, and read obfuscated ("hashed") social security number values. The functionality is pipes-based and can be used across all Fortified ID products. The same approach may be applied to other types of sensitive identity data, excluding passwords.

Create

Add these valves to the pipe responsible for creating the identity object.

In the example below, Entra ID serves as the user store, with the scrambled value saved in the user attribute faxNumber. The user has authenticated via BankID, resulting in the export variable personalNumber containing the user’s social security number.

Adjust the final valve to match your user store, attribute name, or other specific properties as needed.

  {
        "name": "CreateItem",
        "config": {
            "id": "temp_for_pnr",
            "properties": {
                "personalNumber": "{{{exports.personalNumber}}}"
            }
        }
    },
    {
        "name": "ItemPropertyHash",
        "config": {
            "name": "hash_personalNumber",
            "value": "${item.personalNumber}",
            "algorithm": "sha-1"
        }
    },
    {
        "name": "EntraIDCreateUser",
        "config": {
            "namespace": "${globals.EntraID.tenant1.namespace}",
            "ignore_error": false,
            "id_property": "id",
            "create_request_template": {
              .

                "faxNumber": "{{{item.hash_personalNumber}}}",
              .

            }
        }
    }

Edit

Add these valves to the pipe responsible for editing the identity object.

Adjust the final valve to match your user store, attribute name, or other specific properties as needed.

  {
        "name": "CreateItem",
        "config": {
            "id": "temp_for_pnr",
            "properties": {
                "personalNumber": "{{{exports.personalNumber}}}"
            }
        }
    },
    {
        "name": "ItemPropertyHash",
        "config": {
            "name": "hash_personalNumber",
            "value": "${item.personalNumber}",
            "algorithm": "sha-1"
        }
    },
    {
        "name": "EntraIDUpdateUser",
        "config": {
            "namespace": "${globals.EntraID.tenant1.namespace}",
            "ignore_error": false,
            "user_id": "{{{session.entra_identifier}}}",
            "request_template": {
              .

                "faxNumber": "{{{item.hash_personalNumber}}}",
              .

            }
        }
    }

Read (lookup)

Add these valves to the pipe responsible for reading the identity object.

Adjust the final valve to match your user store, attribute name, or other specific properties as needed.

  {
        "name": "CreateItem",
        "config": {
            "id": "temp_for_pnr",
            "properties": {
                "personalNumber": "{{{exports.personalNumber}}}"
            }
        }
    },
    {
        "name": "ItemPropertyHash",
        "config": {
            "name": "hash_personalNumber",
            "value": "${item.personalNumber}",
            "algorithm": "sha-1"
        }
    },
   {
        "name": "ExportsPut",
        "enabled": true,
        "config": {
            "name": "hash_personalNumber",
            "value": "{{{item.hash_personalNumber}}}",
            "replace": true
        }
     },
     {
        "name": "RemoveItems",
        "config": {}
     },
     {
        "name": "EntraIDListUsers",
        "config": {
            "namespace": "${globals.EntraID.tenant1.namespace}",
            "filter": "startsWith(faxNumber,'{{{exports.hash_personalNumber}}}')",
            "select": "displayName,givenName,surname,mail,userPrincipalName",
            "id_property": "id"
        }
     }

PreviousHTTPS NextReverse proxy

Last updated 6 months ago