To configure a specialized authentication portal landing page that will allow your site to provide both RemoteAuth and non-RemoteAuth logon options from a single link within a catalog or finding aid.
The application files needed for this feature are available as a zip file on the Aeon Downloads page.
Authentication Portal Details
Sites wanting to provide users with one link to various different logon options can use the Atlas Authentication Portal feature. The Atlas Authentication Portal application allows sites to provide a single link from a catalog or finding aid system that will take users to a page where they can select whether they log in via RemoteAuth or other methods. In addition to providing logon links, this feature supports passing query string data through the portal to the selected destination.
The specialized authentication portal landing page, Index.cshtml, displays instructional text to help sites configure the portal to view and edit. Once configured, this page will provide users the options for logging into Aeon. When the user clicks the link and logs into Aeon, the item data embedded in the original link is carried through and applied to the request form. This page is located in the AtlasAuthPortal file under \AtlasAuthPortal\Views\Portal.
Two Types of Access
There are two options available for configuring the portal: form-based access and linked based access. The default authentication portal page explains in detail how each option works and how to configure either of these options for use by your site.
Automatic Redirect Feature
When the portal is invoked it supports cookie-based tracking of the options selected by the user. If the user is currently logged into the destination system and has previously gone through the portal, it will forward them to their destination rather than show them the selection screen again.
As of Atlas Auth Portal version 1.3, the redirectUrl parameter has been replaced with the authType parameter. The default pages accept the authType values of AtlasAuth and RemoteAuth. For instructions on configuring the authType parameter settings of AtlasAuth and RemoteAuth, see the index.cshtml page for examples. In the index.cshtml, the examples use the default AtlasAuth and RemoteAuth values as placeholder for demonstration purposes only. When configuring your site's redirect URL, take the redirect URL values from your index.cshtml page and put them in the web.config as a named setting, and then update the index.cshtml to pass the authType parameter with the respective names.
In version 1.3, the RedirectUrlCookieName setting has been removed and replaced with the AuthTypeCookieName which defaults to AtlasAuthType. This change prevents the redirect URL from storing the user's cookies. Instead we now store the name of the auth type to use instead. This change will also prevent upgrade issues with users that have redirect URL cookies in their browsers already.
Session Cookie and Login Persistence Features
As of Atlas Auth Portal version 1.3.2, the session cookie generated by the Atlas Auth Portal upon login will now include SameSite and Secure properties that will allow Aeon to persist the user's login when placing requests through the portal from an external website (i.e., from a website outside of the Aeon web pages, such as a library catalog or finding aid) in most instances. By default, the Atlas Auth Portal will set these properties for the session cookie as follows:
- When a user places a request from an external website using HTTPS:
- The SameSite property on the session cookie will be set to None and the Secure property set to True allowing currently logged-in Aeon users to skip the Atlas Auth Portal login page when placing the request
- When a user places a request from an external website using HTTP:
- The SameSite property on the session cookie will be set to Lax and the Secure property set to False allowing currently logged-in Aeon users to skip the Atlas Auth Portal login page when placing the request only if the external website is under the same domain as the Aeon web pages. If the external website is not under the same domain, then the user will need to log back into the Aeon system to place the request.
Installing the Atlas Authentication Portal Application
As of version 1.3.2, in order for the Atlas Authentication Portal to work properly, you must have Microsoft .NET 4.7.2 Framework (or higher) installed on your Aeon web server. You must be on Aeon v5.2 to use the new features included in Atlas Authentication Portal v1.3.2.
- Download the AtlasAuthPortal files and extract the folder to the web folder on the server (C:\Program Files (x86)\Aeon\Web is the default).
- Open the IIS Manager on your server.
- Navigate to AtlasAuthPortal by clicking Your Server Name | Sites | Default Web Site | Aeon | AtlasAuthPortal.
- Right click on the Atlas Auth Portal and select Convert to Application.
- Accept the application defaults or make changes and click OK. The AtlasAuthPortal icon will change from a folder to an application icon.
Configuring the Atlas Authentication Portal
Supporting POST Data | Overriding the Default Session Cookie SameSite Attributes
Once you have installed the Atlas Auth Portal application, there are two steps to setting up the authentication portal feature.
- Modify the default portal page (Index.cshtml) using the instructions provided on the page. This page is located in the AtlasAuthPortal file under \AtlasAuthPortal\Views\Portal.
- Edit the Web.config file for the authentication portal to include the correct <appSettings> values for the SessionCookieName and UsePersistentRedirectCookie settings. This file is located in the AtlasAuthPortal file under \AtlasAuthPortal\Views.
- SessionCookieName value: AeonSessionID
This controls the cookie that should be looked for to identify whether or not the user is logged in. By default Aeon stores the login as AeonSessionID. - UsePersistentRedirectCookie value: true
This determines whether or not the cookie used to store the redirectURL the user selected on their last visit should be persistent or not (whether the cookie should be available after the user has closed their browser and come back to the portal). - RedirectUrlCookieName: RedirectUrl
This specifies the name to use when storing the portal's redirect URL in a cookie. By default Aeon stores the name as RedirectUrl. This can be changed to avoid conflicts between multiple instances of the Atlas Auth Portal on the same domain. For example, if a second instance of the Atlas Auth Portal is set up to redirect to the open URL action, its RedirectUrlCookieName might be set to OpenUrlRedirectUrl.
- SessionCookieName value: AeonSessionID
Because cookies are generally specific to the domain that they are created under, the Automatic Redirect Feature cannot be used unless both the Portal landing page and the Aeon.dll (which generates the session cookie that the Portal is looking for) are both under the same domain. Therefore, the Portal landing page URL needs to have the same domain name as the resulting Aeon DLL pages. Generally all of these web pages are on the same server, but take care to use a consistent DNS name. Otherwise, the portal page will be set up correctly, but users will still have to pass through that page after having authenticated.
Supporting POST Data
The Atlas Authentication Portal redirects web requests to a number of possible end points, but the nature of HTTP redirects causes form data to be lost when a form submission (an HTTP POST) is redirected. The Portal has a feature that enables it to persist this POST data to the file system in a location that can later be read by the Aeon web application. This feature is only available when the Portal and Aeon are hosted on the same web server and requires manual configuration using the following steps.
Create Folders for POST DataStart by creating the folders that will hold the POST data during the redirection from the Portal to the appropriate Aeon endpoint. Create a folder named 'posts' under the web directory for each Aeon endpoint the Portal may redirect to. For example, under a default installation the location would be
C:\Program Files (x86)\Aeon\Web\posts
Next, change the permissions on the posts folder to ensure the Atlas Authentication Portal can create files there. Start by determining the name of the IIS application pool the Portal is running under by opening IIS Manager, selecting the Atlas Authentication Portal site, and clicking on Advanced Settings. Note the name of the application pool; in this example it's DefaultAppPool but that may be different on your system.
Then, open the Aeon web directory in Explorer and right-click the posts folder, select Properties, then select the Security tab. Click the Add button, and enter the text 'IIS AppPool\{name of app pool}'. Note the space between IIS and AppPool. In this example, the value would be 'IIS AppPool\DefaultAppPool'. Click the Check Names button to ensure it can find this user (it will change the text to just the name of the app pool) and click OK. Lastly, allow the Modify permission for the app pool user and click OK.
Configure Atlas Authentication Portal to Use Posts Directories
The Portal needs to be configured to use these posts folders. Open the web.config in the Portal's root folder and the index.cshtml file in the Portal's Views\Portal folder. Locate the configuration/appSettings section in the web.config file. Add a key for each posts directory the Portal needs to be aware of. The format for the key name is the prefix "PostsDirectoryFor:" followed by the redirection URL for that endpoint. The key's value will be the location of the posts folder on the file system. Note that the redirection URL must match exactly (with case sensitivity) with the redirection URL used in the Portal's index.cshtml file. It's best to open that file and copy/paste the URLs. In our example, the key we'd add would look like this:
<add key="PostsDirectoryFor:http://localhost/aeon/aeon.dll" value="C:\Program Files (x86)\Aeon\Web\posts" />
Lastly, modify the index.cshtml file to include a parameter that will hold the POST data. For each form element that redirects to an Aeon endpoint, add an input for the postData parameter as seen in the following example:
<form method="post" action='@Url.Action("Enter")'>
<input type="hidden" name="redirectUrl" value="http://localhost/aeon/aeon.dll" />
<input type="hidden" name="originalQuery" value="@ViewBag.QueryString" />
<input type="hidden" name="postData" value="@ViewBag.PostData" /> <!-- Add this line to support POST data -->
<input type="submit" value="Log In - Main Site" />
</form>
Overriding the Default Session Cookie SameSite Attributes (Not Recommended)
The default SameSite property values that are set on the Atlas Auth Portal session cookie as of v1.3.2 can be altered if necessary by manually setting an override value for CookieSameSiteMode in the portal's web.config file. When an override value is configured, the SameSite property on the session cookie will be set to that value for both HTTPS and HTTP requests, rather than having it set to None by default for HTTPS requests and Lax by default for HTTP requests. Valid override values are Strict, Lax, or None:
- Strict: The SameSite property on the cookie will always be set to Strict, meaning that all currently logged-in Aeon users will need to log back into the Aeon web pages when placing requests from any external website
- Lax: The SameSite property on the cookie will always be set to Lax, meaning that currently logged-in Aeon users will skip the Atlas Auth Portal login page only if the request is placed from an external website under the same domain as the Aeon web pages.
- If the request is placed from an external website under a different domain, then the user will need to log back into the Aeon web pages to place the request. This applies to external websites using both HTTPS and HTTP connections.
- None: The SameSite property on the cookie will always be set to None, meaning that currently logged-in Aeon users will skip the Atlas Auth Portal login page only if the request is placed from an external website using HTTPS
- If the request is placed from an external website using HTTP, then the user will need to log back into the Aeon web pages to place the request, even if the external website is under the same domain as the Aeon web pages.
Setting the Override Value
To override the default SameSite attributes on the session cookie with one of these three options:
- Open file explorer and navigate to C:\inetpub\wwwroot\aeon\AtlasAuthPortal.
- Right-click and open the web.config file in your preferred code editor (e.g., Notepad ++, Visual Studio Code)
-
Add the following key just below the "AuthTypeCookieName" line, replacing [InsertOverrideValueHere] with one of the options above:
<add key="CookieSameSiteMode" value="[InsertOverrideValueHere]"/>
- Save your changes