Cosign has been the university's secure single sign-on web authentication system for more than 15 years. Originally designed at U-M, the open source software was once widely used across higher education.
Now, however, only a handful of universities still use cosign, and the open source community that once maintained and developed it has dwindled. As universities look to the cloud for software, hardware, and storage, they increasingly need to integrate across vendor, cloud, and on-premise systems and use authentication that relies on federated identity management.
Planning a Move Away from Cosign
The ITS Identity & Access Management team is exploring how the university could begin moving away from use of cosign authentication and toward more modern, flexible, supportable alternatives.
Some first steps might include:
U-M's Shibboleth Identity Provider (IdP) currently functions as a cosign service provider. We could switch that relationship and make our cosign installation function as a Shibboleth Service Provider (SP) using SAML.
- ITS could replace cosign authentication with Shibboleth authentication for an ITS service. This work would give us a sense of the effort involved in moving a production service from cosign to Shibboleth authentication and help us identify transition issues and solutions.
First, we will work to plan and implement service transitions from cosign to alternative services within ITS. There are more than 1,600 services associated with the university that use cosign authentication, so moving away from cosign will take time and a lot of collaboration.
- We will continue to explore and learn about the technical work that will be required to move away from use of cosign—and the potential impact of such a move on the U-M community.
- We will talk and work with U-M IT staff groups and leaders across the university.
- We will be guided by our responsibility to be good stewards of the university's resources, technology, and data and our commitment to support and serve the mission of the university.
If you'd like to work with us on this important effort, please contact firstname.lastname@example.org.