AnnouncementsDiscussion
 
 
home
download
build
overview
wiki
faq
filter
roadmap
license

NSF Middleware Initiative Website

CoSign: Secure, Intra-Institutional Web Authentication
Open Source Web Single Sign-On
 

An open source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. cosign is part of the National Science Foundation Middleware Initiative (NMI) EDIT software release.

News:

Important!  A security vulnerability has been discovered and fixed in the IISCosign filter: COSIGN-VULN-2007-003. Sites running cosign-protected Microsoft IIS web servers should immediately upgrade to IISCosign 2.0.3

Urgent!  Two remotely exploitable vulnerabilities have been discovered and fixed in the cosign weblogin server code: COSIGN-VULN-2007-001, COSIGN-VULN-2007-002. Sites running their own weblogin servers should immediately upgrade to cosign-2.0.2a, cosign-1.9.4b, or apply the patch that is available on the download page.

New!  cosign module for Drupal is now available

New!  The cosign Wiki is up and running.

New!  The comprehensive cosign scheme document is now available.

JavaCosign 2.0 is now available for download.

The cosign Friend system is now available separately from CoSign, to facilitate its integration with other web single sign-on systems

The updated specification for Multiple Factor Authentication is now available.

See the download page for download links, revision history, and MD5 checksums.

Features:

  • Passwords, if used, are sent only to the central weblogin service over SSL.
  • Users need only authenticate once per session to access any number of cosign-protected campus sites.
  • Optional per-service re-authentication.
  • A compromised service host (see the overview) does not represent a compromise of the cosign system as a whole.
  • x509 users needn't enter a password to authenticate.
  • The cosign 'friend' system allows non umich users to authenticate using self-created, centrally-administered guest accounts.
  • Trusted systems can request Kerberos credentials from central server for N-Tier authentication (e.g. IMAP, LDAP, Oracle, etc.).
  • There are no domain cookies used in this system.
  • Sessions have both idle and hard timeouts.
  • Users can logout of all cosign-protected services by visiting a single URL.

The University of Edinburgh has provided an Evaluation of Web Single Sign-On Technologies to the United Kingdom's JISC.

The University of Auckland, New Zealand has provided us with their WebSSO Implementation Comparison from their review of available solutions.

The Pennsylvania State University also has a Web Single Sign On Evaluation Whitepaper available that includes cosign.

Announcements: Join cosign-announce

Discussion: Join cosign-discuss

Contact: cosign at umich.edu

cosign is freely available and distributed under an open source license.
 
Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 29-January-2008