Hash Claims Transformation

The Hash claims transformation provides the ability to create an output claim which is the hash of an input claim. Salt must be added using a second input claim and an input parameter.  The input parameter must be the name of a secret key belonging to the tenant so that publication of the policy doesn’t allow an attacker to predict the value of the hash by virtue of knowing the input claims.






The string to hash


The optional salt for the hash



DataType Value


string The name of a tenant key





The hash computed by the transformation


This example defines a ClaimsTransformation of the ‘Hash’ type called ‘HashPasswordWithUserId’. A claim called ‘password’ in the policy schema is hashed using a claim called ‘userId’ as salt. Because the hash is salted this way, two users with different userIds but the same password always end up with different hashes. This makes it impossible for an evil insider to insert the hash of a password he knows into another user’s record and successfully log in as the second user.

In addition, the InputParameters statement causes the password to be salted by a secret key created by the tenant called, in this case, ‘AccountTransformSecret’. This means that even if two tenants have users with the same userIds and passwords, the hashes produced will be different. Further, it will be impossible to play passwords for a given userId against a known hash in order to discover the password.

The output of the transformation is put into a claim called ‘hashedPassword’ in the policy schema.

<ClaimsTransformation Id="HashPasswordWithUserId" TransformationMethod="Hash">
          <InputClaim ClaimTypeReferenceId="password" TransformationClaimType="plaintext" />
          <InputClaim ClaimTypeReferenceId="userId" TransformationClaimType="salt" />
          <InputParameter Id="randomizerSecret" DataType="string" Value="AccountTransformSecret" />
          <OutputClaim ClaimTypeReferenceId="hashedPassword" TransformationClaimType="hash" />

Leave a Reply