RemoteAuth: Authentication Process & Customizing Settings

Print Friendly and PDF Follow

A bug introduced in Shibboleth v3.2.2.2 may cause variable values to be duplicated in User records created through RemoteAuth. To resolve this issue, please use the following setting in your Shibboleth RequestMapper configuration:

If you do not want your users to enter a username and/or password to use Aeon, but want to pass a known username to Aeon for registration and login, you can setup RemoteAuth authentication. While there are few Aeon customizations to enable this authentication, it does require technical knowledge of setting up your external authenticating system and having that server send information to the Aeon web server.

RemoteAuth authentication is slightly different than other authentication methods in that there is no logon page used for customers to enter a username and password. In most installations, sites add an isapi filter to the Aeon web server that intercepts the request for the Aeon.dll in the RemoteAuth folder. If the username value has not been set, it redirects the user to the authentication server. If the username has been set, it checks the authentication server to see if the session is still active. RemoteAuth authentication expects a server variable that is set to the authenticating system and passed to Aeon via the http header.

Aeon installations have successfully authenticated users via PubCookie, CoSign and Shibboleth using this type of authentication. Currently, Aeon only checks for the username and does not look for other customer information (i.e. name, status, contact information etc.).

Shibboleth attribute IDs must be written using all uppercase letters in attribute-map.xml for the associated variable to pass through to the Aeon DLL.

Secure Handling for Users of Different Authentication Types

As of Aeon v5.0, the DLL will check to ensure that the user entering the system through a remote authentication endpoint matches an existing Aeon user in both username and authentication type (AuthType). In the case where a new RemoteAuth user's username has already been taken by a user created with the basic Aeon authentication type (i.e., where the existing user's AuthType is 'AeonAuth,' or where the AuthType is 'Default' if the WebAuthType is set to 'AeonAuth'), the RemoteAuth user will be redirected to the Error.html page upon the initial login attempt and the SLSingleSignInUsernameInUse status line will appear. The text on the error page will direct the user to contact staff to resolve the issue.

Note that RemoteAuth authentication is dependent on your existing external authentication system.  In order to use RemoteAuth authentication with Aeon, you must create a means to protect the Aeon web folder and send an authenticated username, usually with an ISAPI filter. Because the development and support of those ISAPI filters or other configurations for authenticating systems are outside of Aeon, you will need to be familiar with how to create and support those yourself to use this type of authentication. While Atlas Systems can help you troubleshoot the Aeon portion of the authentication, we cannot diagnose issues related to the authenticating system.

The system is designed to use RemoteAuthentication based on the location of the actual web pages as specified by the RemoteAuthWebPath customization key. Therefore, you cannot use the testweb pages with RemoteAuth.

Customization Keys

For RemoteAuth authentication, the WebAuthType key is not used, so can either be set to RemoteAuth as a reminder or Aeon. Because only the username is sent to Aeon and users authenticate against the remote server each time, the password reset feature does not apply for RemoteAuth authentication.

Customizing your RemoteAuth Settings

These customization keys are located in the Customization Manager under Web Interface | Authentication.

RemoteAuthSupport Determines if RemoteAuth is being used by one of the web directories
RemoteAuthUserVariable The name of the server variable containing the Aeon username that is sent from the authenticating server.
RemoteAuthWebLogoutURL The URL or local file to send a user to after logging out of an Aeon web directory controlled by remote authentication.
RemoteAuthWebPath The web directory containing Aeon web files and the DLL that's controlled by remote authentication. Details on this are below.

You can enable RemoteAuth authentication for a particular web directory while still keeping a separate web directory for users to register themselves via Standard Aeon authentication. The RemoteAuthWebPath would be the directory controlled by remote authentication while the WebPath key (Web Interface | System | WebPath) would have the directory not controlled by remote authentication. RemoteAuthSupport being set to Yes would tell Aeon to check the directory and then know if the user should be authenticated remotely or by Aeon. The WebAuthType key is not used with RemoteAuth authentication.

WebDefault Customization Keys 

The Aeon Customization Manager contains several WebDefault customization keys (under Web Interface | Defaults) that can be used to set default values in certain fields on the user registration web form under normal Aeon authentication. The WebDefault keys are not supported for use with RemoteAuth authentication due to how the user record is created and initialized. The list of unsupported keys includes the following:

  • WebDefaultCity
  • WebDefaultCountry
  • WebDefaultDepartment
  • WebDefaultState
  • WebDefaultStatus
  • WebDefaultZip

Adding Default Values to the NewAuthRegistration Web Form

If you would like new RemoteAuth users to have specific values set for any of these fields when they are directed to the registration form, these default values must be hardcoded into the HTML on the NewAuthRegistration.html form according to the type of field and instructions below:

Dropdown Fields

Dropdown selection fields such as Country and State can have the default selected value adjusted by removing the defaultName attribute on the field's <#OPTION> tag and adding the desired default value to the defaultValue attribute. In this example, the default selected value for the Country field will be "United States":

<div class="form-group col-md-4">
<label for="Country">
<span class="<#ERROR name='ERRORCountry'>">
Primary Address Country
<span class="req">(required)</span>
<select class="custom-select mr-sm-2" name="Country" id="Country" required>
<#OPTION name="Countries" selectedValue="<#PARAM name=Country>"
defaultValue="United States" /> </select> </div>
Note: Please do not change the value of the selectedValue attribute.

Text Input Fields

Text input fields such as ZIP code can have a specified value populated in the field by changing the value attribute on the field's <input> element to the desired value. In this example, the default value for the ZIP code field will be "12345":

<div class="form-group col-md-4">
<label for="Zip">
<span class="<#ERROR name='ERRORZip'>">
Primary Address Zip
<span class="req">(required)</span>
<input type="text" class="form-control" name="Zip" id="Zip"
value="12345" required>


Remote Auth in the Database

When using RemoteAuth, the AuthType in the Users table of the Aeon database is set to RemoteAuth for statistical purposes.


If this article didn’t resolve your issue, please contact Atlas Support for assistance:

Contact Support