CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cosign Re-Authentication Specification

Hey Cosign List,

We've been kicking around the idea that a specific Cosign service would be able to force a re-authentication before allowing a user access to that service. This has been suggested as a requirement by people in both the financial and medical (HIPAA) arenas of the University of Michigan.

Based on the conversation we had with some people in Michigan's Administrative Information Services (MAIS) group on Friday, here's the preliminary spec for how Re-Auth should work. We welcome comments, suggestions, and questions from the entire Cosign community.

Setup ( to be done beforehand ):

A specific service name ( cosign-[servicename] ) registers with the central cgi/daemon to assert that Re-Auth is required to access said service. Other than that, there is no special configuration necessary for the filters ( java/apache/iis ).

How it works:

Upon hitting a page protected by a servicename that is registered with us as Re-Auth, the user will be redirected to the central cosign server, where 1 of 2 things will happen.

1) First Time (not logged in already):

If this is the first CosignProtected service they've visited during their session ( aka they ARE NOT logged in ), they will be presented with the normal login screen ( ), where they will have as many opportunities to type their correct username and password as they like. Upon correctly entering in a login/password pair, they will be redirected back to the page they were previously trying to access ( the one that required re-auth ) and the "time of re-authentication" will be when the local copy of the service cookie is created.

2) Already logged in somewhere:

If the user has already accessed another CosignProtected service ( aka they ARE logged in ), they will be redirected to the Re-Authentication Page ( see for a mock-up, but don't type your password as this is not a real page! :) where they will be prompted for the password of the user who is already authenticated ( ie the login name will be a static field, as shown ). They will then have N chances ( 3 is on the table, as may be other numbers ) to correctly enter the password for that particular username. If they fail after N attempts, they will be logged out of the central Cosign server and all their sessions will be terminated. They will then be brought to the N Strikes page ( see, again merely a suggestion, not the actual text ) where this will be explained and they will have the opportunity to try again. Should they choose to try again and are able to succeed, they will be redirected back to the original referrer ( the servuce that required re-auth ).

Please send all comments to the list.

Johanna and the Cosign Development Team

Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010