Website Application-Based Authentication

ITS Information Assurance required that all university websites, including websites hosted through ITS Web Hosting, discontinue using Cosign by June 30, 2023. Some websites were moved to use web server-based authentication using mod_auth_openidc on a temporary basis because they could not meet the deadline. ITS Web Hosting strongly recommends that websites use Web Application-based authentication and not Web Server-based authentication. Using Web Application-based authentication gives the web application more control of the authentication process. This will also prepare your web application to move to one of the new ITS Wolverine Web Services external vendors that ITS is setting up to eventually replace AFS Web Hosting.

This webpage provides instructions for updating websites to use Web Application-based authentication. To determine if your website is using mod_auth_openidc, review the status of your website by going to the AFS Unit Websites Dashboard.

Note: While ITS maintains the infrastructure of websites, it is the responsibility of the website owner to make updates to their site.

Prerequisites to use OIDC for authentication:

  • Use either PHP 7.3 or PHP 8.1. If you are on a version of PHP that is earlier than 7.3, please refer to Upgrade PHP.
  • Be on the latest version of WordPress, Drupal 7, Drupal 9, Drupal 10, or other Content Management System. If your website is using an old version, please refer to Upgrade CMS.

How to migrate to use Web Application-based authentication:

Step 1: Get Started - Website Owner

  • Determine if you will need to test your changes before you apply them to your production site. To ensure a smooth transition of changes to your production environment with minimal downtime, it is recommended that you use a test environment.
  • If you need a test environment or you have a test environment that is not an up-to-date clone of your production environment and need help, fill out an ITS Web Hosting Upgrade Form to notify the ITS Web Hosting team that you will be migrating off of Cosign and to ask for a temporary test environment setup if needed.
  • If you already have a test environment that is a recent clone of your production website, skip to step 3.
  • If you will not be using a test environment and intend to make changes directly to the production website, skip to step 6.

Step 2: Set up new test environment - ITS

  • The ITS Web Hosting Hosting team will set up a test environment that will be a clone of your production website.
  • ITS will notify the website owner when the test environment is ready by updating the ticket.

Step 3: Upgrade in test environment - Website Owner

Step 4: Remove mod_auth_openidc support in the test environment - ITS

  • ITS will remove mod_auth_openidc support for the website from the Web Server Configuration in the test environment. 
  • ITS will notify the website owner when the website can be tested using OIDC for web application based authentication in the test environment.

Step 5: Test OIDC in test environment - Website Owner

  • Test OIDC web application-based authentication in the test environment
  • Troubleshoot and fix if needed.
  • Update the ticket to say that you have finished testing in the test environment and will start configuring your production website for OIDC.

Step 6: Upgrade to OIDC Web Application-based authentication in production environment - Website Owner

Note: Changes in Steps 6, 7, and 8 will affect your production site; you may choose to schedule these changes together with ITS to minimize the impact to the users of your website.

  • Follow the notes you made in steps 3 and 5 to configure your web app for OIDC web application-based authentication in the production environment.
    • Note: you won’t be able to use the same OIDC credentials that you obtained for your test environment; you will need to obtain a different set of OIDC credentials for use with your production website.
  • Update the ticket to notify the ITS Web Hosting team to remove mod_auth_openidc support for your website from Web Server Configuration to test in the production environment.

Step 7: Remove mod_auth_openidc support in the production environment - ITS

  • ITS will remove mod_auth_openidc support for the website from the Web Server Configuration in the production environment.
  • ITS will notify the website owner when the website can be tested using OIDC for web application authentication in the production environment.

Step 8: Test OIDC in Web Application authentication production environment - Website Owner

  • Test OIDC web application authentication in the production environment.
  • Troubleshoot and fix if needed.
  • Update the ticket to notify the ITS Web Hosting team that the website has been migrated off of Cosign and the mod_auth_openidc environment can be removed.

Step 9: Remove the test environment - ITS

  • ITS removes the website test environment.
  • ITS closes the ticket.

OIDC support documentation

WordPress

Drupal 7

Drupal 9

Non-Drupal/WordPress PHP Applications

General