How to authenticate an application user with SuperOffice legacy federated authentication

In this article

    Before introducing OAuth 2.0, our web services used SuperOffice legacy federated authentication. This is no longer the preferred method.

    We recommend that you use the standard OAuth 2.0 user authentication.


    • You have received a unique client ID and secret
    • You have whitelisted your redirect URL (GET or POST) with SuperOffice
    • You have set up a web page at your redirect URL
    • the application user has a valid username and password
    1. Forward users to the SuperOffice online sign-in page to authenticate.

    2. Receive the authentication token when the sign-in page redirects the user back to your application. The HTTP response contains a form in the body:

      <form action=”redirecturl” method=”post”>
         <input type=”hidden” name=”key” value=”<value>” />

      The hidden input type has name set to SAML or JWT. The value is set to the security token of the corresponding type.

    3. Validate the authentication token. This is required each time a token is received to ensure that no attacks happened between sending the authentication request and receiving the authentication response.