Cosign at U-M

Information and Technology Services continues to partner with units to discontinue use of the two-decade old Cosign Authentication service by the end of June 2023. The full retirement of the service will occur in October 2023 with the decommissioning of the Cosign servers.

Originally designed at U-M, the open source software was once widely used across higher education. Now only a handful of universities still use Cosign, and the open source community that once maintained and developed it has dwindled.

Exceptions to be removed monthly for inactive systems

In May 2022, all systems using the authentication service were required to have an exception to continue to run Cosign. To continue to limit Cosign use, exceptions will be removed monthly for applications with fewer than 20 logins during the prior 90 days.

Exceptions will be removed monthly on the following dates:

• February 27: Applications with fewer than 20 logins in the 90 days prior to January 31, 2023.
• April 3: Applications with fewer than 20 logins in the 90 days prior to February 28.
• April 24: Applications with fewer than 20 logins in the 90 days prior to March 31.
• May 31: Applications with fewer than 20 logins in the 90 days prior to April 30.
• June 26: Applications with fewer than 20 logins in the 90 days prior to May 31.

When an exception is removed, users will no longer be able to sign into the system. To continue to receive an exception for a limited time, be sure your application has recent log-on activity. If an exception is removed and later discovered to be needed, contact the ITS Service Center to submit a ticket to the IAM Single Sign On group.

A list of applications that have exceptions to use Cosign and that have fewer than 20 logins in the prior 90 days will be shared monthly with the Strategic Technology Advisory Committee (STAC) and the U-M Security Community groups.

Upcoming support labs

To assist with the transition, ITS has created the resource kit below that contains detailed instructions. Additionally, members of the project team will be available on Zoom to discuss unit transition at the following drop-in support labs:

• Tuesday, April 11, 11a.m. - 12 p.m. (Add to Google Calendar)
• Tuesday, May 9, 11a.m. - 12 p.m. (Add to Google Calendar)
• Tuesday, June 20, 11a.m. - 12 p.m. (Add to Google Calendar)

Toolkit - Resources to switch from Cosign to Shibboleth

If your service currently uses Cosign, plan to move to Shibboleth by June 2023. Shibboleth can be set up to use either Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), two industry standard protocols.

• If you host systems on your own servers, refer to the following resources:
  • Identify Cosign on a System
  • Shibboleth Protocol Options
  • Set Up a SAML Service Provider for use with Shibboleth at U-M
  • Set Up an OIDC Service Provider for use with Shibboleth at U-M
  • Shibboleth at U-M
• If your systems are hosted on servers provided by the ITS Web Hosting service, see the new OIDC Provisioning and Management tool to provision your systems to OIDC. Visit Migrate Your Website Off of Cosign for the detailed instructions, including steps for using OIDC on Drupal, WordPress, and PHP websites hosted and not hosted by ITS.

Although ITS can identify traffic from applications using Cosign, we are unable to identify the specific applications or departments that own them. Please help us in communicating the retirement details and support resources to others who may be using Cosign for authentication. To make this easier, please use and customize the resources available in the Cosign Retirement communications toolkit. 

Retirement milestones

Cosign will continue to function throughout the duration of the retirement timeline through the decommission date.

May 7, 2022 (Complete)	Self-service for installing Cosign with new applications ended.
End of September 2022	Units attest to discontinuing or creating plans to discontinue using Cosign by June 2023, per the FY22 Internal Controls certification process.
April 15, 2023	Technical change removes Shibboleth’s reliance on Cosign. Currently Shibboleth uses Cosign for authentication.
June 2023	Units discontinue using Cosign. If a unit has a plan but is unable to be off of Cosign by June 30, they need to contact the ITS Service Center to submit a ticket to the IAM Single Sign On group.
October 16, 2023	Decommission servers and fully retire service.

Subscribe to Retirement Project emails 

Don’t miss Cosign retirement news by joining Single Sign On Notify, a self-joinable MCommunity group. The retirement project will continue to communicate future drop-in sessions, project impacts, and reminders to broad groups within the Michigan IT community.

Questions?

Send email to the Cosign Retirement team at beyond.cosign@umich.edu.