CyberSource Configuration

Print Friendly and PDF Follow

As of Aeon 4.1, Aeon may utilize CyberSource as a payment gateway through the use of Secure Acceptance profiles for user transactions. This requires some initial setup and testing from the server to properly enable. The set up can be broken down into two different categories:

  1. Setting up a Merchant Account.
  2. Customization Manager changes and set up.

Further documentation for CyberSource’s Payment gateway can be found here:

CyberSource Documentation

The instructions for configuring the Aeon URLs to CyberSource are were written for sites using the Aeon Authentication option. If you use a single sign-on such as CAS or Shibboleth, please see the Configuring Under Remote Authentication after setting up your Merchant Account Profile.

Merchant Account Configuration 

To set up CyberSource, you will need to set up and configure a merchant account through the CyberSource Business Center. The initial configuration and testing should be done through the Test Business Center. Once it's been confirmed that the service works as expected, you can go live following the same steps using the Live Business Center.

Before starting, retrieve from within the Customization Manager the current value for the Customization Key WebURL. This will be referenced later in the setup procedure.

Initial setup of secure acceptance profile

  1. On the left-hand menu click Payment Configuration (cogwheel), then select Secure Acceptance Settings.
  2. Under active profiles click New Profile.NewProfile.png
  3. Fill out the Create Profile menu:
    1. Select the Hosted Checkout option under Integration Methods.
    2. Note: The Added Value Services are not required. CreateProfile.png
  4. Click Submit. You will automatically be redirected to a new Edit Profile Form.
    1. Take note of the Profile ID for the new account. You will need this information for setting up the Payment Gateway in the Customization Manager for Aeon.

Customer Response

  1. Under the new Edit Profile form, Select the Customer Response tab.
  2. The following URLs will be adapted from Customization Key WebURL. Please enter the following values based on the response questions below:
    Response Question Value
    Transaction Response page Hosted By You
    <WebUrl> /aeon.dll?Action=30&Type=116
    Custom Cancel Response Page Hosted By You
    <WebUrl> /aeon.dll?Action=30&Type=116
  3. Under Payment Settings, choose at least one payment method.
See “Configuration Under Remote Authentication” at the end of this document for a more in-depth explanation of the values for the customer response questions.


  2. Select Visa.
  3. Click the cogwheel Icon to the left of the new Visa.
  4. Under the new Visa Settings panel:
    1. Activate any CVN security settings required by your institution.
    2. Select at least one currency from the Currencies.
    3. Click Submit to save the settings changes.



  1. Under the new Edit Profile form, Select the Notifications tab.
  2. The following URLs will be adapted from Customization Key WebURL. Please enter the following values based on the response questions below:
    Notification Type Value
    Merchant Post URL <WebUrl> /aeon.dll?Action=30&Type=115
    Merchant Post URL
    • Adding an email address in addition to the URL will ensure you receive POST receipts.
PayPal Express Checkout is not currently supported in Aeon through CyberSource at this time.
See “Configuration Under Remote Authentication” at the end of this document for a more in-depth explanation of the values for the customer response questions.

Payment Form

  1. Select the Payment Form tab. PaymentForm.png
  2. Fill out the required fields:
    1. It's highly recommended to Use a Single Page Form for checkout and to Mask Sensitive Fields.

Generating a New Key

  1. Select the Security tab.
  2. Under Active keys, click the create key (+) button. ActiveKeys.png
  3. Under the new Security Keys form, fill in the Key Creating information:
    1. Fill in the Key Name value.
    2. Set the Signature Version to Version 1.
    3. Set the Signature Method to HMAC-SHA256. SecurityKeys.png
  4. Click Create to add the new key.
  5. You will have a limited time to copy both your Access and Secret key from the form. Please copy and paste the information to a secure location. SecurityKeys2.png
    • Note: Be sure to safeguard the private key. It's recommended after storing it the access key and secret key on the server to delete or safely store any copies of it.
    • Any other customizations to the profile aside from the above mentioned are at the discretion of the user.
  6. Once finished, click Save.
  7. The profile must be promoted to Active after saving to use. To activate the profile, select the profile name by clicking on the menu (ThreeDots.png), and then select activate profile. ActiveProfile.png

Customization Manager Changes and Set Up

After setting up Merchant Account Configuration, you should have saved three pieces of information:

  • The Access Key
  • The Secret Key
  • The Profile ID

Follow the instructions below to add your Merchant Account profile information to the Aeon Customization Manager:

  1. Within the Aeon Customization Manager, change the PaymentProvider customization key to “CyberSource”.
  2. Change the PaymentProviderToken customization key to the previously copied Access Key.
  3. Change the PaymentProviderResponseToken customization key to the previously copied Secret Key.

Note: Be sure to safeguard the private key. It is recommended after storing it within the server to delete or safely store any copies of it.

  1. Change the PaymentProviderMerchantId customization key to the previously copied Profile ID.

Next, you will need to modify the CreditCardPayment.html web page. This file can be downloaded from the Aeon Downloads page as part of the Aeon 4.1 default web pages. See the instructions below for the required changes:

  1. Open the default directory in File Explorer where your CreditCardPayment.html page is located.
  2. Overwrite the CreditCardPayment.html web page with the feature specific one for CyberSource (within “Feature Specific Pages/CyberSource/”).

Configuration Under Remote Authentication

For sites that use a single sign-on system (SSO) such as CAS or Shibboleth, the URL from the WebURL customization key may not work as intended. To explain the conditions where differences apply, we’ll start with a typical setup for a site that uses SSO.


Unlike SSO sites, Aeon authentication sites typically only have two Aeon web directories: one protected used for SSO and one unprotected that uses Aeon authentication. They’re often named as such, with WebURL pointing to the first URL:

The default Aeon directory, protected by CAS.
< www.instituion.url/aeon/ > 
The open directory used for Aeon authentication.
< www.instituion.url/noncas/ >

When navigating to a resource under a protected directory (/aeon in this example), the web server checks to see if the user has an active session token and, if not, the user will be redirected to a login page that will only allow the user to continue after providing valid credentials. Once the active token is created, the protected nature of the directory is unnoticeable until the token expires.

The problem with this is that CyberSource will want to make a web request back to Aeon (in the background, server-to-server, without involving the user’s web browser) to report the result of a transaction. If it’s directed to a protected directory, it will always be intercepted before reaching the aeon.dll. In this case, it’s important to make sure we direct CyberSource to the unprotected Non-CAS directory to ensure Aeon receives the notification.

The problem only occurs for CyberSource when it makes the server-to-server request (to the URL configured in the Notifications section). The URLs configured in the Customer Response section don’t have this problem because CyberSource is redirecting the user’s browser to the provided URLs, and in that case, the user will have a valid SSO token or will be able to sign in again if needed.

Work Around

To work around this issue the CreditCardPayment.html pages will have to be edited differently in each directory, and you won’t always be able to use the WebURL customization key. The default web page has a disabled section with fields that can be used to override the URLs configured in the CyberSource Business Center. The fields are override_backoffice_post_url, override_custom_cancel_page, and override_custom_receipt_page.

Protected Directory

In the case of the protected directory (/aeon), the value of the override_backoffice_post_url input must point to the unprotected directory. To override the URL, please add the following value to the CreditCardPayment.html page:


Unprotected Directory

In the case of the unprotected directory, users won’t have credentials for the SSO system; therefore, they will need to be redirected to the unprotected directory. To override the URL, please fill out the following values in the CreditCardPayment.html page. These values will appear in within the comment section (default lines 81-87) of the file:


Back to the top


If this article didn’t resolve your issue, please take a moment and answer a few questions to help improve our documentation: