Verifying an HMAC
  • 1 Minute to read
  • Dark
    Light

Verifying an HMAC

  • Dark
    Light

Article summary

SmarterU enables you to create custom menu items that open a new web page, or pass along user information. You have the option of passing along the current user's username. In order to provide the target web page a method for trusting the information that it's receiving, SmarterU creates an authentication string called an HMAC.

When HMAC is enabled, SmarterU generates a secret key that is unique to the custom menu item. The secret key is only known by SmarterU and the target environment. Each time a user clicks the link for a custom menu item, SmarterU applies the secret key to the URL. This generates an HMAC that is appended to the URL.

Be sure to keep store your secret key confidential. Otherwise your integration could be at risk.

Because the target environment knows the secret key, it can verify that the HMAC it receives matches the HMAC that it is expecting. If the two HMACs are identical, it indicates that the information was not tampered with on its way to the target environment.  

 Another layer of security that the target environment can implement is to expire requests to a page if the timestamp is older than a specified amount of time. For example, only accept requests if the timestamp is less than 10 minutes old. Should you choose to implement this, be sure to include the TIMESTAMP variable in your custom menu item's URL. 

Verifying the HMAC

SmarterU uses the SHA-256 algorithm to generate the HMAC. There are a number of utilities available to verify your HMAC using the input variables and your secret key.

To illustrate, suppose the URL for our custom menu item is:

https://myintranet.com/?aurid=[SU-AUR-ID]&empid=[SU-EMP-ID]&email=[SU-EMAIL]&ts=[TIMESTAMP]

With HMAC enabled for the custom menu item, a secret key is generated:

Interface gráfica do usuário, Texto, Aplicativo, Email  Descrição gerada automaticamente

Using a utility such as FreeFormatter, you can supply the input variables in alphabetical order and the secret key to determine the HMAC.

SmarterU will automatically order the variables in alphabetical order when it generates the HMAC. However, because browsers will sometimes re-order the variables, you will need to ensure the variables are listed alphabetically when validating the HMAC.

HMAC Generator 20220404



Was this article helpful?


What's Next