Maintenance on SuperOffice Core systems 6th to 9th of November Click to learn more

How to override the certificate resolver

In this article

    To override the default behavior of JWT security token validation is required when you deploy your application in a restricted environment where you have no access to the certificate store. This is the case when you deploy to a cloud application server.

    When you override the security token validation routine, you need only 1 certificate, SuperOfficeFederatedLogin.crt. If you use the default PeerTrust validation, you need all 3 certificates.

    This override short-circuits the PeerTrust validation, or certificate dependencies, by setting the CertificateValidator property to None.

    tokenHandler.CertificateValidator = X509CertificateValidator.None;

    This allows the certificate routines to bypass certificate validation, and directly validate the JWT security token with the provided certificate.


    • Your application has an App_Data folder containing the SuperOfficeFederatedLogin.crt certificate.
    • CertificateValidator property is set to None.
    • The certificate type must be X509Certificate2.

    For JWT security tokens, the application must override the JwtIssuerSigningCertificate property.

    The  X509Certificate2 constructor accepts a file name argument and is the file name of the certificate that will be used to validate the security token.

    The full path to the  App_Data folder containing SuperOfficeFederatedLogin.crt is passed to the constructor.

    public SuperIdToken ValidateToken(string token)
        var tokenHandler = new SuperIdTokenHandler();
        tokenHandler.JwtIssuerSigningCertificate = new X509Certificate2(
           HttpContext.Current.Server.MapPath("~/App_Data/") + "SuperOfficeFederatedLogin.crt"
        // Change subdomain for correct environment (sod, stage, online).
        tokenHandler.ValidIssuer = "";
        tokenHandler.CertificateValidator = X509CertificateValidator.None;
        return tokenHandler.ValidateToken(token, TokenType.Jwt);

    The ValidateToken method will return a SuperIdToken populated with all the claims returned by SuperOffice CRM Online.

    This operation will fail if the token is not JWT or if the certificate is missing.