We’ve developed some resources to help you work effectively from home during COVID-19 Click to learn more

How to override the certificate resolver for legacy SAML tokens

In this article

    This code allows the certificate routines to bypass certificate validation, and directly validate the SAML security token with the provided certificate. This is no longer the preferred method.

    We recommend that you use JWT security tokens.

    This override short-circuits the PeerTrust validation, or certificate dependencies, by setting the CertificateValidator property to None.

    tokenHandler.CertificateValidator = X509CertificateValidator.None;
    

    Pre-requisites:

    • Your application has an App_Data folder containing the SuperOfficeFederatedLogin.crt certificate.
    • CertificateValidator property is set to None.

    For SAML tokens, the application must override the IssueTokenResolver property with a class that knows how to resolve certificates.

    SuperOffice provides the CertificateFileCertificateStoreTokenResolver class. Its constructor accepts a path where it will search for certificates with a .crt, .cer, or .pfx file extension.

    public SuperIdToken ValidateToken(string token)
    {
        var tokenHandler = new SuperIdTokenHandler();
        tokenHandler.IssuerTokenResolver = new CertificateFileCertificateStoreTokenResolver(
    HttpContext.Current.Server.MapPath("~/App_Data"));
        tokenHandler.CertificateValidator = X509CertificateValidator.None;     return tokenHandler.ValidateToken(token, TokenType.Saml); }

    The ValidateToken method will return a SuperIdToken populated with all the claims returned by SuperOffice CRM Online.

    This operation will fail if the token is not SAML or if the certificate is missing.