Event-driven architecture (or Web Hooks) of Aprimo DAM.

christopher.fredrickson 2 months ago in Integrations / Connectors updated by Tarun Chawla 1 day ago 9

This request is being entered at the direction of Joris Wynendaele and Andrew Conforti

Aprimo Marketing Ops platform provides the ability to include a HMAC header when configuring WebHooks (events from Aprimo to SE). Refer HMAC section on this page: https://developers.aprimo.com/marketing-operations/webhooks/ Click to follow link.">https://developers.aprimo.com/marketing-operations/webhooks/

However, this feature is not available in Aprimo “DAM” module. For integrations in SE, Aprimo DAM will have to implement WebHooks/Callouts upon status changes to Digital Assets and since SE’s Events API does not allow usage of Basic Auth or static/non-expiring tokens, having this HMAC will enable SE to validate the authenticity of the event from Aprimo DAM.

SE therefore needs Aprimo to provide this HMAC feature in DAM module as well. Additionally, SE also needs Aprimo to provide customization of the “header-name”. (SE uses Sign-Data as the header-name to receive HMAC data, while Aprimo uses X-SH1).

Any update on this one?  Is this possible or is there another option we need to discuss?


Hey Chris, we are committing to delivering in Q1 2021, likely in the March timeframe.


Updating to qualified, specifically for the HMAC using SHA256 with configurable header name. In this case, we would compute a hash of the post body content using a shared string key, and include that hash in a header on an outbound call. We will not pursue supporting OAuth 2.0 flows, as those tend to have small implementation differences that may make supporting that difficult and challenging to troubleshoot.

Thanks Tarun - let me pass this along

Sure. We will nail down any further details if we commit this and pursue development, but getting an initial response as to whether this high level description would work would be great. Thanks Chris.

Hi Tarun, 

The Sign Data header of SE-Events API requires the message body (only) signed with the shared secret (provided by SE) using the HMACSHA256 algorithm (supported by default in the API). The resultant signature needs to be converted to base64-encoded UTF-8 string and the resultant value needs to be passed in that header.

Note that in terms of technical process, this is no different from what’s provided under HMAC section of https://developers.aprimo.com/marketing-operations/webhooks/

Also, note that the commonly used HMACSHA256 is supported in the API by default but in case consumers want/have to use a different algorithm, the corresponding algorithm name can be mentioned in the Sign-Type header of the SE-Events API.

Business Justification:  

Aprimo DAM which acts as Enterprise DAM in SE needs to integrate with other platforms managing Product data such as PIM, BSL, etc. These integrations are required to notify the downstream SE applications upon changes to specific attributes (such as AssetStatus) of a Digital Asset using DAM’s Rule Callouts/WebHooks. SE provides a REST API/Endpoint (called SE-Events) to accept these events from Aprimo DAM and based on SE API Security Guidelines, this SE-Events API allows only two authentication modes - a signed HMAC header or an OAuth2 client-credentials.

Hi Chris, thanks for the extra detail here! I'm validating what our options are today. Chances are if we do enhance something, it'd likely be the addition of an HMAC vs an OAuth 2.0 flow, as it's possible external systems have subtle differences in OAuth endpoint formats that would make things tricky. If we were to go an HMAC route, I'd expect we'd have to hash some combination of the url, query string values, and body and use a shared secret to calculate it, and use a HMACSHA256 approach. 

Are there specific requirements on how the HMAC would need to be formed (using what data) and the algorithm used to produce it, noting that you need a configurable header name it would appear in?