Common Problems in online application development

In this article

    A list of common problems in Online application development and their resolutions.

    Error: ID4037

    The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier


    Certificate is not found. Either the certificates are not installed on the local machine, or they are not configured to load the SuperOfficeFederatedLogin.crt certificate by using the CertificateFileCertificateStoreTokenResolver class.


    Make sure the online certificates are installed on the local machine, or use the CertificateFileCertificateStoreTokenResolver to point to the location of the SuperOfficeFederatedLogin.crt certificate. If the latter, make sure to set the CertificateValidator to X509.CertificateValidator.None.

    var tokenHandler = new SuperIdTokenHandler();
    tokenHandler.IssuerTokenResolver = 
        new SuperOffice.SuperID.Client.Tokens.CertificateFileCertificateStoreTokenResolver(
    tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
    return tokenHandler.ValidateToken(returnedToken, TokenType.Saml);


    Error: ID4175

    The issuer of the security token was not recognized by the IssuerNameRegistry.


    The SuperIdCertificate appSetting value does not correlate to an installed certificate.


    Install the correct certificates for the correct environment (SOD, Stage, Production) into the Local Machine certificate store.

    Make sure the thumbprint is correct, use arrow back to verify that there is no hidden character before the thumbprint value. 

    Alternatively, override the IssuerTokenRsolver and set the CertificateValidator to X509CertificateValidator.None as demonstrated in error ID4037.


    Error: ID4148

    The Saml2SecurityToken is rejected because the SAML2:Assertion's NotOnOrAfter condition is not satisfied.


    Too much time has elapsed since when the system user token was signed and sent to exchange for a system user ticket. The returned token containing the system user ticket has expired.


    Tokens must be validated immediately after they are returned by SuperID.

    Error: Data at the root level is invalid. Line 1, position 1.


    TokenHandler attempted to validate a JWT token with the SAML token enumeration.


    Change the enumeration from SAML to JWT.



    Error: IDX10708

    'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48QXNzZ



    TokenHandler attempted to validate a SAML token with the Jwt token enumeration.


    Do not set the tokenHandler.JwtIssuerSigningCertificate property, if using certificates installed on local machine, or set the tokenHandler.IssuerTokenResolver to a new CertificateFileCertificateStoreTokenResolver instance if using a relative certificate file, and in the Validate method, change the TokenType enumeration from Jwt to SAML.

    //Disable looking up the certificate PeerTrust when using CertificateFileCertificateStoreTokenResolver or JWT tokens.
    tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;

    //determine what class will lookup the certificates for validation
    tokenHandler.IssuerTokenResolver = new SuperOffice.SuperID.Client.Tokens.CertificateFileCertificateStoreTokenResolver(

    tokenHandler.ValidateToken(token, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml)


    Error: Value cannot be null. Parameter name: certificate

    Possible Problem 1:

    TokenHandler attempted to validate a SAML token with the Jwt token enumeration.

    Resolution :

    Change the enumeration from Jwt to SAML.

    tokenHandler.ValidateToken(token, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml)


    Possible Problem 2:

    Certificates have not been installed on the partners server.


    Install the public SuperOffice certificates according to the How to Configure Certificates for Online Apps


    Error: Cannot locate PartnerHttpContext

    This error appears when the web application web.config file declared a session mode equal to PartnerHttpContext, and the PartnerHttpContext class is not included in the project, or in an assembly located in the web site bin folder.

    As explained in this video series, when using our sample code there is a series of authentication dependencies that must be in place, these are:

    • Context Initializer: responsible for dynamically setting the NetServer URL based on the tenant context.
    • Context Resolver: responsible for getting the correct tenant context identifer.
    • PartnerHttpContext: storage provider for the current context container in IIS HttpContext

    These components work in tandem to establish a validate and resolve an authenticated context in a multi-tenant environment. 



    Ensure your project contains the ContextInitializer.cs, ContextResolver.cs and PartnerHttpContext.cs files in your web project. These are included in the online sample project SuperOffice.DevNet.Online.Login.