CoSign: Secure, Intra-Institutional Web Authentication
|Open Source Web Single Sign-On
An open source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system. cosign is part of the National Science Foundation Middleware Initiative (NMI) EDIT software release.
24 Feb 2012 - cosign 3.2.0 is now available for download.
This release adds build integrity testing, adds support for
cookies, makes public access an option in .htaccess files, and
includes a number of smaller features and fixes. Visit the
download page for a full list of changes.
A session fixation
simplifying phishing attacks was discovered in all releases
of cosign up to and including cosign 2.1.1.
Cosign-protected organizations should upgrade to the latest
release of cosign 3.x immediately, available on the
- Passwords, if used, are sent only to the central weblogin service over SSL.
- Users need only authenticate once per session to access any number of cosign-protected campus sites.
- Optional per-service re-authentication.
- A compromised service host does not represent a compromise of the cosign system as a whole.
- x509 users needn't enter a password to authenticate.
- SPNEGO logins supported.
- Multi-factor authentication.
- The cosign 'friend' system allows non umich users to authenticate using self-created, centrally-administered guest accounts.
- Trusted systems can request Kerberos credentials from central server for N-Tier authentication (e.g. IMAP, LDAP, Oracle, etc.).
- There are no domain cookies used in this system.
- Sessions have both idle and hard timeouts.
- Users can logout of all cosign-protected services by visiting a single URL.
The University of Edinburgh has provided an Evaluation of Web Single Sign-On Technologies to the United Kingdom's JISC.
The University of Auckland, New Zealand has provided us with their WebSSO Implementation Comparison from their review of available solutions.
The Pennsylvania State University also has a Web Single Sign On Evaluation Whitepaper available that includes cosign.
Contact: info at weblogin.org
cosign is freely available and distributed under an open source license.