Disclaimer: This website requires Please enable JavaScript in your browser settings for the best experience.

Dev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideLegal TermsGitHubDev CommunityOptimizely AcademySubmit a ticketLog In
Dev Guide

SSO token validator extension point

Use the SSO token validator extension point to allow Configured Commerce to validate a token from an external identity provider. Configured Commerce will first try to validate the token with its built-in Identity Server, then fall back to the SSO token validator extension point if you have configured it.

For example, if you use both CMS and Configured Commerce, you can set up SSO in the CMS to point to an external identity provider. The external identity provider passes a token for you to validate and point to the same identity provider, which allows you to use the same token to communicate with Configured Commerce APIs. 

📘

Note

To leverage this functionality, users must already exist in Configured Commerce, as this extension point will not automatically create users. If you use the connector for Configured Commerce and the Content Cloud CMS, however, you can create a user in the CMS and this triggers Configured Commerce to add this user automatically.

Implement the SSO token validator extension point: IInjectAuthenticationOptions interface. Then add an Authentication middleware configured to validate the external token

📘

Note

This following code is commented out in the InjectAuthenticationOptions.cs file.

namespace Insite.IdentityServer.Startup
{
    using System.IdentityModel.Tokens;
    using System.Linq;
    using Insite.Core.Security;
    using Microsoft.IdentityModel.Protocols;
    using Microsoft.Owin.Security.Jwt;
    using Owin;
    public class InjectAuthenticationOptions : IInjectAuthenticationOptions
    {
        private const string CustomBearerAuthenticationType = "CustomBearer";
        public string[] AuthenticationTypes => new[] { CustomBearerAuthenticationType };
        public void InjectOption(IAppBuilder app)
        {
            var openIdConnectConfiguration = new ConfigurationManager<OpenIdConnectConfiguration>(
                "https://login.microsoftonline.com/7de63854-34d6-46bb-b98d-855dd67ef1c5/v2.0/.well-known/openid-configuration"
            )
                .GetConfigurationAsync()
                .GetAwaiter()
                .GetResult();
            app.UseJwtBearerAuthentication(
                new JwtBearerAuthenticationOptions
                {
                    AuthenticationType = CustomBearerAuthenticationType,
                    TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidAudience = "https://andrey.insitesoftqa.com/identity",
                        ValidIssuer = "https://sts.windows.net/7de63854-34d6-46bb-b98d-855dd67ef1c5/",
                        IssuerSigningKeyResolver = (token, securityToken, kid, parameters) =>
                        {
                            var securityKeyId =
                                kid.First(
                                    o => o.ClauseType == "NamedKeySecurityKeyIdentifierClause"
                                ).Id;
                            var securityKey = openIdConnectConfiguration.JsonWebKeySet
                                .GetSigningTokens()
                                .Where(o => o.Id == securityKeyId)
                                .SelectMany(o => o.SecurityKeys)
                                .FirstOrDefault();
                            return securityKey;
                        }
                    }
                }
            );
        }
    }
}