HomeGuides
Submit Documentation FeedbackJoin Developer CommunityLog In

SSO Token Validator Extension Point

Overview

Use the SSO token validator extension point to allow B2B Commerce to validate a token from an external identity provider. B2B Commerce will first try to validate the token with its built-in Identity Server, then fall back to the SSO token validator extension point if you have configured it.

For example, if you use both CMS and B2B Commerce, you can set up SSO in the CMS to point to an external identity provider. The external identity provider passes a token for you to validate and point to the same identity provider, which allows you to use the same token to communicate with B2B Commerce APIs. 

📘

Note

To leverage this functionality, users must already exist in B2B Commerce, as this extension point will not automatically create users. If you use the connector for B2B Commerce and the Content Cloud CMS, however, you can create a user in the CMS and this triggers B2B Commerce to add this user automatically.

How to implement the SSO token validator extension point

Follow these steps:

  1. Implement the IInjectAuthenticationOptions interface
  2. Add an Authentication middleware configured to validate the external token

Example Implementation

📘

Note

This code is commented out in the InjectAuthenticationOptions.cs file.

namespace Insite.IdentityServer.Startup
{
    using System.IdentityModel.Tokens;
    using System.Linq;
    using Insite.Core.Security;
    using Microsoft.IdentityModel.Protocols;
    using Microsoft.Owin.Security.Jwt;
    using Owin;
    public class InjectAuthenticationOptions : IInjectAuthenticationOptions
    {
        private const string CustomBearerAuthenticationType = "CustomBearer";
        public string[] AuthenticationTypes => new[] { CustomBearerAuthenticationType };
        public void InjectOption(IAppBuilder app)
        {
            var openIdConnectConfiguration = new ConfigurationManager<OpenIdConnectConfiguration>(
                "https://login.microsoftonline.com/7de63854-34d6-46bb-b98d-855dd67ef1c5/v2.0/.well-known/openid-configuration"
            )
                .GetConfigurationAsync()
                .GetAwaiter()
                .GetResult();
            app.UseJwtBearerAuthentication(
                new JwtBearerAuthenticationOptions
                {
                    AuthenticationType = CustomBearerAuthenticationType,
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidAudience = "https://andrey.insitesoftqa.com/identity",
                        ValidIssuer = "https://sts.windows.net/7de63854-34d6-46bb-b98d-855dd67ef1c5/",
                        IssuerSigningKeyResolver = (token, securityToken, kid, parameters) =>
                        {
                            var securityKeyId =
                                kid.First(
                                    o => o.ClauseType == "NamedKeySecurityKeyIdentifierClause"
                                ).Id;
                            var securityKey = openIdConnectConfiguration.JsonWebKeySet
                                .GetSigningTokens()
                                .Where(o => o.Id == securityKeyId)
                                .SelectMany(o => o.SecurityKeys)
                                .FirstOrDefault();
                            return securityKey;
                        }
                    }
                }
            );
        }
    }
}

Did this page help you?