Create User with Imported Hashed Password from java StrongPasswordEncryptor


#1

I’m trying to use the “Create User with Imported Hashed Password” API.

It is creating the user, but the password is not working.

Our passwords are encrypted using Java org.jasypt.util.password.StrongPasswordEncryptor. This prefixes the password with a salt then applies the SHA-256 algorithm 100000 times then prefixes the salt again.
http://www.jasypt.org/api/jasypt/1.8/org/jasypt/util/password/StrongPasswordEncryptor.html

Here is what I’ve been trying.
I take our hash (bo4ditnmyAyz1E49eZ88pr5f7G6wgQNTzp/SVihRRvN3KwbqeNqwQZS8+R0UoLwd)
I decode it from base64 to a byte array
I split the first 16 bytes off the front and base 64 encode them. I use this for the salt
The remaining bytes I base64 encode and use as the value
Here is the body of the POST to {{url}}/api/v1/users?activate=false:

  "profile": {
    "firstName": "First",
    "lastName": "Last",
    "email": "email@gmail.com",
    "login": "email@gmail.com"
  },
  "credentials": {
    "password" : {
      "hash": {
      	"algorithm": "SHA-256",
      	"salt": "bo4ditnmyAyz1E49eZ88pg==",
      	"saltOrder": "PREFIX",
        "value": "vl/sbrCBA1POn9JWKFFG83crBup42rBBlLz5HRSgvB0="
      }
    }
  }
}

I tried a few other things too. I tried with the whole hash above as the value. I tried giving it a workFactor of 100000, though I suspect that does nothing for SHA-256. I tried logging in before and after activating the user through the okta ui.

Am I correct that the 100000 iterations is causing us the problem? Is there some way I need to tell Okta about the 100000 iterations? Are the iterations supported?


#2

I’m still having trouble importing our users. https://developer.okta.com/docs/api/resources/users#create-user-with-imported-hashed-password is the end point I’ve been trying to use.
Any help would be appreciated.
Thanks