CoSign: Secure, Intra-Institutional Web Authentication
|Open Source Web Single Sign-On
An open source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. cosign is part of the National Science Foundation Middleware Initiative (NMI) EDIT software release.
24 Feb 2012 - cosign 3.2.0 is now available for download.
This release adds build integrity testing, adds support for
cookies, makes public access an option in .htaccess files, and
includes a number of smaller features and fixes. Visit the
download page for a full list of changes.
A session fixation
simplifying phishing attacks was discovered in all releases
of cosign up to and including cosign 2.1.1.
Cosign-protected organizations should upgrade to the latest
release of cosign 3.x immediately, available on the
- Passwords, if used, are sent only to the central weblogin service over SSL.
- Users need only authenticate once per session to access any number of cosign-protected campus sites.
- Optional per-service re-authentication.
- A compromised service host does not represent a compromise of the cosign system as a whole.
- x509 users needn't enter a password to authenticate.
- SPNEGO logins supported.
- Multi-factor authentication.
- The cosign 'friend' system allows non umich users to authenticate using self-created, centrally-administered guest accounts.
- Trusted systems can request Kerberos credentials from central server for N-Tier authentication (e.g. IMAP, LDAP, Oracle, etc.).
- There are no domain cookies used in this system.
- Sessions have both idle and hard timeouts.
- Users can logout of all cosign-protected services by visiting a single URL.
Contact: info at weblogin.org
cosign is freely available and distributed under an open source license.