Announcements Discussion

CoSign: Secure, Intra-Institutional Web Authentication
Open Source Web Single Sign-On

An open source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. cosign is part of the National Science Foundation Middleware Initiative (NMI) EDIT software release.


24 Feb 2012 - cosign 3.2.0 is now available for download. This release adds build integrity testing, adds support for httponly cookies, makes public access an option in .htaccess files, and includes a number of smaller features and fixes. Visit the download page for a full list of changes.

Important  - A session fixation vulnerability simplifying phishing attacks was discovered in all releases of cosign up to and including cosign 2.1.1. Cosign-protected organizations should upgrade to the latest release of cosign 3.x immediately, available on the download page.


  • Passwords, if used, are sent only to the central weblogin service over SSL.
  • Users need only authenticate once per session to access any number of cosign-protected campus sites.
  • Optional per-service re-authentication.
  • A compromised service host does not represent a compromise of the cosign system as a whole.
  • x509 users needn't enter a password to authenticate.
  • SPNEGO logins supported.
  • Multi-factor authentication.
  • The cosign 'friend' system allows non umich users to authenticate using self-created, centrally-administered guest accounts.
  • Trusted systems can request Kerberos credentials from central server for N-Tier authentication (e.g. IMAP, LDAP, Oracle, etc.).
  • There are no domain cookies used in this system.
  • Sessions have both idle and hard timeouts.
  • Users can logout of all cosign-protected services by visiting a single URL.


Contact: info at

cosign is freely available and distributed under an open source license.

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 06-August-2012