Cosign is the authentication mechanism that the University of Michigan uses to authenticate users to their web applications. It allows the user of a web application the ability to use their standard University of Michigan uniqname and password with that application safely. The password is always transmitted directly to a secure central server (https://weblogin.umich.edu/) and behind the scenes, that central server tells the web application what the uniqname of the user is via a server side variable. This means that the web application never actually puts its hands on a users password, and even if the service is hacked, it will only affect that one service and not entire users accounts.
For this article, I’m only going to describe the University of Michigan’s implementation of Cosign. It is possible for other institutions to download the entire source code for Cosign and host their own central server which handles all authentication, but I’m not going to cover that since I don’t know much about the Cosign authentication server, just the Cosign which runs on the web server serving the specific web application you want secured via Cosign.
In order to use Cosign, you have to have it installed on the server your web application is running on. Installing the Cosign client is no easy task. There are many things that make this challenging for someone who doesn’t really know what they are doing. Here’s some things you need to know in order to truly understand what’s going on here.
Cosign requires you have an SSL secured web page (HTTPS) for at least the authentication step of your web application. They reccommend you SSL secure anything that is not public that you have to be logged in to view otherwise user session to your web application could be hijacked.
In order for your web application to communicate with the central authentication server, the webmasters need to sign an SSL certificate for your server. This ensures that the communication between your web application and the central server is always secure.
Installing Cosign from source can always be an interesting challenge, especially if it doesn’t work the first time. I’ll try to go into this in more detail in another article. In the meantime, just check out these notes on my Cosign installation I wrote up a while ago, and the official Cosign web page.