Cosign at U-M

Information and Technology Services continues to partner with units to discontinue use of the two-decade old Cosign Authentication service by the end of June 2023. The full retirement of the service will occur in October 2023 with the decommissioning of the Cosign servers.

Originally designed at U-M, the open source software was once widely used across higher education. Now only a handful of universities still use Cosign, and the open source community that once maintained and developed it has dwindled.

Subscribe to Cosign and Shibboleth emails 

Don’t miss Cosign retirement news by joining Single Sign On Notify, a self-joinable MCommunity group. The retirement project will communicate future drop-in sessions, project impacts, and reminders to this group.

Retirement milestones

Cosign will continue to function throughout the duration of the retirement timeline through the decommission date. For more information about the retirement milestones and associated activities, see the Cosign Service Retirement - Transition Plan.

May 7, 2022 (Complete)	Self-service for installing Cosign with new applications ended.
End of September 2022	Units attest to discontinuing or creating plans to discontinue using Cosign by June 2023, per the FY22 Internal Controls certification process.
Spring, 2023	Technical change removes Shibboleth’s reliance on Cosign. Currently Shibboleth uses Cosign for authentication.
June 2023	Units discontinue using Cosign. If a unit has a plan but is unable to be off of Cosign by June 30, they need to contact the ITS Service Center to submit a ticket to the IAM Single Sign On group.
October 16, 2023	Decommission servers and fully retire service.

Terminating Cosign integrations

In May 2022, all systems using the authentication service were required to have an exception to continue to run Cosign. Each month going forward through September 2023, ITS will terminate Cosign integrations for applications with fewer than 20 logins during the prior 90 days.

Cosign integrations will be terminated monthly on the following dates:

• February 27: Applications with fewer than 20 logins in the 90 days prior to January 31, 2023.
• April 3: Applications with fewer than 20 logins in the 90 days prior to February 28.
• April 24: Applications with fewer than 20 logins in the 90 days prior to March 31.
• May 31: Applications with fewer than 20 logins in the 90 days prior to April 30.
• June 26: Applications with fewer than 20 logins in the 90 days prior to May 31.

When a Cosign integration is terminated, users will no longer be able to sign into the system. To continue to use a Cosign integration for a limited time, be sure your application has recent log-on activity. If a Cosign integration ends and is later discovered to be needed, contact the ITS Service Center to submit a ticket to the IAM Single Sign On group.

A list of applications with Cosign integrations that have fewer than 20 logins in the prior 90 days will be shared monthly with the Strategic Technology Advisory Committee (STAC) and the U-M Security Community groups.

Support labs

To assist with the transition, ITS has created the resource kit below that contains detailed instructions. Additionally, members of the project team were available on Zoom to discuss unit transition at monthly drop-in support labs leading up to the retirement of the Cosign service.

Toolkit - Resources to switch from Cosign to Shibboleth

If your service currently uses Cosign, plan to move to Shibboleth by June 2023. Shibboleth can be set up to use either Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), two industry standard protocols.

• If you host systems on your own servers, refer to the following resources:
  • Identify Cosign on a System
  • Shibboleth Protocol Options
  • Set Up a SAML Service Provider for use with Shibboleth at U-M
  • Set Up an OIDC Service Provider for use with Shibboleth at U-M
  • Shibboleth at U-M
• If your systems are hosted on servers provided by the ITS Web Hosting service, see the new OIDC Provisioning and Management tool to provision your systems to OIDC. Visit Migrate Your Website Off of Cosign for the detailed instructions, including steps for using OIDC on Drupal, WordPress, and PHP websites hosted and not hosted by ITS.

Although ITS can identify traffic from applications using Cosign, we are unable to identify the specific applications or departments that own them. Please help us in communicating the retirement details and support resources to others who may be using Cosign for authentication. To make this easier, please use and customize the resources available in the Cosign Retirement communications toolkit. 

Questions?

Send email to the Cosign Retirement team at [email protected].