Umich Cosign… A Conversation

So, one of my classmates a couple semesters ago IMed me today, and we had the following conversation about the University of Michigan‘s Cosign system (see previous post), and also how to get user information from the umich directory. I thought other people at UofM looking to implement web applications using the uniqname login system, might find this discussion useful.

1:29:54 PM Yaniv: i am hoping for some advice about setting up and using cosign
1:30:23 PM Kyle Mulka: for what purpose?
1:30:30 PM Yaniv: the idea is to have students log into a site with kerberos uniqnames, and be able to submit a vote
1:30:41 PM Kyle Mulka: I ask because if its for a University thing, then you should have the University set it up for you
1:30:53 PM Kyle Mulka: on their servers
1:31:13 PM Yaniv: yeah, i’ve been talking to the UM webmaster team also
1:31:17 PM Kyle Mulka: ITCS is good about setting cosign up on their web servers if you ask them
1:31:23 PM Kyle Mulka: and usually pay them
1:32:07 PM Yaniv: is it possible to set up on an independent server, and communicate with kerberos somehow?
1:32:15 PM Kyle Mulka: yes, it is… but its hard
1:32:21 PM Yaniv: liveugli, for example, is its own domain right?
1:32:42 PM Kyle Mulka: we’ll… you’ll notice that you don’t actually login to the liveugli domain
1:32:50 PM Kyle Mulka: just hosts the front page
1:33:03 PM Kyle Mulka: but… it is possible to use cosign on a non-umich domain
1:33:28 PM Yaniv: but you’d recommend to have itcs host it and they would set up cosign?
1:33:43 PM Kyle Mulka: yes
1:33:51 PM Kyle Mulka: I mean… is there a reason not to go that route?
1:34:07 PM Kyle Mulka: liveugli was able to get cosign setup through the GROCS program
1:34:19 PM Kyle Mulka:
1:34:30 PM Kyle Mulka: we’re considered a “project in residence”
1:34:33 PM Yaniv: the group this project is for already has a webhost from a third party
1:35:11 PM Yaniv: so lets assume that ITCS would host it
1:35:42 PM Yaniv: then with some language, i could say something like:
1:35:58 PM Yaniv: authenticatedUser -> getGraduationYear()
1:36:06 PM Yaniv: and find some attributes about the person?
1:37:14 PM Kyle Mulka: you can query people’s year (Fresh, Soph., Junior, Senior) from the directory
1:37:28 PM Kyle Mulka: all cosign gives you is the uniqname
1:37:43 PM Yaniv: oh i see
1:37:49 PM Yaniv: and which directory are you talking about?
1:37:51 PM Kyle Mulka:
1:37:56 PM Yaniv:
1:38:11 PM Kyle Mulka: yes
1:38:19 PM Yaniv: oh very nice
1:38:24 PM Yaniv: is there an API for that?
1:38:31 PM Kyle Mulka: is just a front end for the LDAP directory
1:38:44 PM Kyle Mulka: LDAP is a standard directory protocal
1:39:03 PM Kyle Mulka: replace my uniqname in that URL with yours…
1:39:13 PM Kyle Mulka:
1:39:21 PM Kyle Mulka: that’s all the info you can pull from the directory…
1:39:34 PM Kyle Mulka: however, not all of it is public… some people have made theirs private
1:39:49 PM Yaniv: right
1:39:59 PM Kyle Mulka:
1:40:13 PM Yaniv: so the umich LDAP server is publicly available?
1:40:28 PM Kyle Mulka: yes
1:41:06 PM Kyle Mulka: here’s the source code for that script if you want to use it
1:41:06 PM Kyle Mulka:
1:41:39 PM Kyle Mulka: you’ll notice the host name for the ldap server:
1:41:40 PM Kyle Mulka:
1:42:40 PM Kyle Mulka: but… when it comes down to it, if you just want to run elections… I would recommend not writing your own program, and using the one MSA, LSA-SG, and UMEC uses
1:42:49 PM Kyle Mulka:
1:43:44 PM Yaniv: right right, i’ve been in contact with their developer about that, we’re trying to arrange something
1:43:59 PM Yaniv: but I wanted to have a sense of what is involved in case that doesn’t work out
1:44:25 PM Kyle Mulka: you have a better chance with that than getting cosign running yourself
1:45:06 PM Kyle Mulka: but… if you want the adventure, feel free to give it a try
1:45:41 PM Kyle Mulka: here’s some of my notes from when I did it a couple years ago
1:45:41 PM Kyle Mulka:
1:45:58 PM Kyle Mulka: and… you’ve probably seen the cosign page
1:45:59 PM Kyle Mulka:
1:46:26 PM Yaniv: suppose i get cosign installed on an independent server, i still have to tell it to communicate with the UM credentials somehow, right?
1:46:37 PM Kyle Mulka: uh… yea…
1:47:00 PM Kyle Mulka: basically, you have to generate a certificate and get it signed by the UM webmasters
1:47:37 PM Kyle Mulka: digital certificate, digitally signed if that wasn’t already clear
1:47:58 PM Yaniv: ok, so in these 10 minutes, i concluded that its much better to have itcs host it
1:48:09 PM Yaniv: and even better to use the existing voting site
1:48:23 PM Kyle Mulka: and… if you do an independent thing, you’ll have to pay for a certificate if you don’t want that annoying box coming up
1:48:33 PM Kyle Mulka: which … costs about $100
1:48:46 PM Yaniv: right, thats true, i forgot about that
1:48:50 PM Yaniv: needs the SSL
1:49:04 PM Kyle Mulka: ssl isn’t actually required though… just recommended
1:49:19 PM Kyle Mulka: liveugli doesn’t use ssl
1:49:31 PM Yaniv: oh.. i see..
1:49:52 PM Kyle Mulka: one reason we don’t use it is because IE would complain on every page load that there were “unsecure” things on the page
1:49:58 PM Kyle Mulka: like… the Google Maps APi
1:50:27 PM Yaniv: yes, that would be annoying
1:50:53 PM Yaniv: ok, well that was very helpful, i do have a much better understanding of the big picture
1:50:58 PM Yaniv: thank you very much
1:51:03 PM Kyle Mulka: you’re welcome
1:51:56 PM Kyle Mulka: I probably should have pointed you to this too…
1:51:57 PM Kyle Mulka:
1:52:09 PM Yaniv: oh and thanks for that php code, i’ll look at it more closely, i’ll let you know if i use it and credit you if i do
1:52:34 PM Kyle Mulka: k, thanks
1:54:01 PM Yaniv: your articles are very good, i should have searched for them :)
1:55:59 PM Kyle Mulka: I appreciate the compliment, thanks
2:02:17 PM Kyle Mulka: Yaniv, do you mind if I post the transcript of this conversation?
2:11:53 PM Yaniv: no, not at all, please do

Leave a Reply