CoSign: Secure, Intra-Institutional Web Authentication
	Open Source Web Single Sign-On

IMPORTANT: CoSign is no longer being maintained

CoSign users are encouraged to migrate to a modern authentication solution supporting OAuth/OIDC/SAML. The page remains here as a historical reference.

ORIGINAL PAGE:

An open source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. cosign is part of the National Science Foundation Middleware Initiative (NMI) EDIT software release.

News:

24 Feb 2012 - cosign 3.2.0 is now available for download. This release adds build integrity testing, adds support for httponly cookies, makes public access an option in .htaccess files, and includes a number of smaller features and fixes. Visit the download page for a full list of changes.

Important  - A session fixation vulnerability simplifying phishing attacks was discovered in all releases of cosign up to and including cosign 2.1.1. Cosign-protected organizations should upgrade to the latest release of cosign 3.x immediately, available on the download page.

Features:

• Passwords, if used, are sent only to the central weblogin service over SSL.
• Users need only authenticate once per session to access any number of cosign-protected campus sites.
• Optional per-service re-authentication.
• A compromised service host does not represent a compromise of the cosign system as a whole.
• x509 users needn't enter a password to authenticate.
• SPNEGO logins supported.
• Multi-factor authentication.
• The cosign 'friend' system allows non umich users to authenticate using self-created, centrally-administered guest accounts.
• Trusted systems can request Kerberos credentials from central server for N-Tier authentication (e.g. IMAP, LDAP, Oracle, etc.).
• There are no domain cookies used in this system.
• Sessions have both idle and hard timeouts.
• Users can logout of all cosign-protected services by visiting a single URL.

Resources:

• cosign authentication flow overview
• cosign wiki
• cosign discussion mailing list
• cosign announcements mailing list
• cosign scheme documentation
• cosign multi-factor authentication specification


• cosign filter implementation for PHP
• cosign plugin for WordPress
• cosign module for Drupal
• cosign Friend authentication

Contact: info at weblogin.org

cosign is freely available and distributed under an open source license.