How to override the certificate resolver

•

Environment: cloud

Some tooltip text!

• 3 minutes to read

 • 3 minutes to read

Note

This information applies only if validating the security token using the SuperOffice.Online.Core NuGet package. See the Validate security tokens page to see all options.

To override the default behavior of JWT security token validation is required when you deploy your application in a restricted environment where you have no access to the certificate store. This is the case when you deploy to a cloud application server.

When you override the security token validation routine, you need only 1 certificate, SuperOfficeFederatedLogin.crt. If you use the default PeerTrust validation, you need all 3 certificates.

This override short-circuits the PeerTrust validation, or certificate dependencies, by setting the CertificateValidator property to None.

tokenHandler.CertificateValidator = X509CertificateValidator.None;

This allows the certificate routines to bypass certificate validation, and directly validate the JWT security token with the provided certificate.

Pre-requisites:

• Your application has an App_Data folder containing the SuperOfficeFederatedLogin.crt certificate.
• CertificateValidator property is set to None.
• The certificate type must be X509Certificate2.

For JWT security tokens, the application must override the JwtIssuerSigningCertificate property.

The X509Certificate2 constructor accepts a file name argument and is the file name of the certificate that will be used to validate the security token.

The full path to the  App_Data folder containing SuperOfficeFederatedLogin.crt is passed to the constructor.

public SuperIdToken ValidateToken(string token)
{
  var tokenHandler = new SuperIdTokenHandler();
  tokenHandler.JwtIssuerSigningCertificate = new X509Certificate2(
    HttpContext.Current.Server.MapPath("~/App_Data/") + "SuperOfficeFederatedLogin.crt"
  );
  // Change subdomain for correct environment (sod, stage, online).
  tokenHandler.ValidIssuer = "https://sod.superoffice.com";
  tokenHandler.CertificateValidator = X509CertificateValidator.None;
  return tokenHandler.ValidateToken(token, TokenType.Jwt);
}

The ValidateToken method will return a SuperIdToken populated with all the claims returned by SuperOffice CRM Online.

This operation will fail if the token is not JWT or if the certificate is missing.

How to override the certificate resolver for legacy SAML tokens

This code allows the certificate routines to bypass certificate validation, and directly validate the SAML security token with the provided certificate. This is no longer the preferred method.

We recommend that you use JWT security tokens.

This override short-circuits the PeerTrust validation, or certificate dependencies, by setting the CertificateValidator property to None.

tokenHandler.CertificateValidator = X509CertificateValidator.None;

Pre-requisites:

• Your application has an App_Data folder containing the SuperOfficeFederatedLogin.crt certificate.
• CertificateValidator property is set to None.

For SAML tokens, the application must override the IssueTokenResolver property with a class that knows how to resolve certificates.

SuperOffice provides the CertificateFileCertificateStoreTokenResolver class. Its constructor accepts a path where it will search for certificates with a .crt, .cer, or .pfx file extension.

public SuperIdToken ValidateToken(string token)
{
  var tokenHandler = new SuperIdTokenHandler();

The ValidateToken method will return a SuperIdToken populated with all the claims returned by SuperOffice CRM Online.

This operation will fail if the token is not SAML or if the certificate is missing.