Website Application-Based Authentication

ITS Information Assurance required that all university websites, including websites hosted through ITS Web Hosting, discontinue using Cosign by June 30, 2023. Some websites were moved to use web server-based authentication using mod_auth_openidc on a temporary basis because they could not meet the deadline. ITS Web Hosting strongly recommends that websites use Web Application-based authentication and not Web Server-based authentication. Using Web Application-based authentication gives the web application more control of the authentication process. This will also prepare your web application to move to one of the new ITS Wolverine Web Services external vendors that ITS is setting up to eventually replace AFS Web Hosting.

This webpage provides instructions for updating websites to use Web Application-based authentication. To determine if your website is using mod_auth_openidc, review the status of your website by going to the AFS Unit Websites Dashboard.

Prerequisites to use OIDC for authentication:

• Use either PHP 7.3 or PHP 8.1. If you are on a version of PHP that is earlier than 7.3, please refer to Upgrade PHP.
• Be on the latest version of WordPress, Drupal 7, Drupal 9, Drupal 10, or other Content Management System. If your website is using an old version, please refer to Upgrade CMS.

How to migrate to use Web Application-based authentication:

Step 1: Get Started - Website Owner

• Determine if you will need to test your changes before you apply them to your production site. To ensure a smooth transition of changes to your production environment with minimal downtime, it is recommended that you use a test environment.
• If you need a test environment or you have a test environment that is not an up-to-date clone of your production environment and need help, fill out an ITS Web Hosting Upgrade Form to notify the ITS Web Hosting team that you will be migrating off of Cosign and to ask for a temporary test environment setup if needed.
• If you already have a test environment that is a recent clone of your production website, skip to step 3.
• If you will not be using a test environment and intend to make changes directly to the production website, skip to step 6.

Step 2: Set up new test environment - ITS

• The ITS Web Hosting Hosting team will set up a test environment that will be a clone of your production website.
• ITS will notify the website owner when the test environment is ready by updating the ticket.

Step 3: Upgrade in test environment - Website Owner

• Make notes of all changes that you make, as you will need to repeat these same steps for your production environment in step 6.
• Configure your web app for OIDC in your test environment:
  • Migrating existing Drupal 7 website to use OIDC for Web Application based Authentication
  • Migrating existing Drupal 9 website to use OIDC for Web Application based Authentication
  • Migrating existing WordPress website to use OIDC for Web Application based Authentication
  • Migrating existing PHP App to use OIDC for Web Application based Authentication
• When you have completed your web application updates to the testing environment, fill out a new ITS Web Hosting Upgrade form to notify the ITS Web Hosting team to remove mod_auth_openidc support for your website from Web Server Configuration in the test environment.

Step 4: Remove mod_auth_openidc support in the test environment - ITS

• ITS will remove mod_auth_openidc support for the website from the Web Server Configuration in the test environment. 
• ITS will notify the website owner when the website can be tested using OIDC for web application based authentication in the test environment.

Step 5: Test OIDC in test environment - Website Owner

• Test OIDC web application-based authentication in the test environment
• Troubleshoot and fix if needed.
• Update the ticket to say that you have finished testing in the test environment and will start configuring your production website for OIDC.

Step 6: Upgrade to OIDC Web Application-based authentication in production environment - Website Owner

Note: Changes in Steps 6, 7, and 8 will affect your production site; you may choose to schedule these changes together with ITS to minimize the impact to the users of your website.

• Follow the notes you made in steps 3 and 5 to configure your web app for OIDC web application-based authentication in the production environment.
  • Note: you won’t be able to use the same OIDC credentials that you obtained for your test environment; you will need to obtain a different set of OIDC credentials for use with your production website.
• Update the ticket to notify the ITS Web Hosting team to remove mod_auth_openidc support for your website from Web Server Configuration to test in the production environment.

Step 7: Remove mod_auth_openidc support in the production environment - ITS

• ITS will remove mod_auth_openidc support for the website from the Web Server Configuration in the production environment.
• ITS will notify the website owner when the website can be tested using OIDC for web application authentication in the production environment.

Step 8: Test OIDC in Web Application authentication production environment - Website Owner

• Test OIDC web application authentication in the production environment.
• Troubleshoot and fix if needed.
• Update the ticket to notify the ITS Web Hosting team that the website has been migrated off of Cosign and the mod_auth_openidc environment can be removed.

Step 9: Remove the test environment - ITS

• ITS removes the website test environment.
• ITS closes the ticket.

OIDC support documentation

WordPress

• Migrating existing WordPress website to use OIDC for Web Application-based Authentication
• New WordPress websites
  • UMich OIDC Login plugin: Configure WordPress Site to Restrict Access Using OIDC Logins and MCommunity Groups
  • Alternative:
    OpenID Connect Generic Client plugin: Install and Configure OpenID Connect (OIDC) Client for WordPress

Drupal 7

• Migrating existing Drupal 7 website to use OIDC for Web Application-based Authentication
• New Drupal 7 website setup to authenticate using OIDC
• Configure Drupal 7 website to restrict access to pages using MCommunity groups

Drupal 9

• Migrating existing Drupal 9 website to use OIDC for Web Application-based Authentication
• New Drupal 9 website setup to authenticate using OIDC
• Configure Drupal 9 website to restrict access to pages using MCommunity groups

Non-Drupal/WordPress PHP Applications

• Migrating existing PHP App to use OIDC for Web Application-based Authentication
• New PHP App setup to authenticate using OIDC
• Web-server level authentication using mod_auth_openidc to set the REMOTE_USER environment variable is available for web applications in special situations. Contact [email protected] for details.

General

• How to Provision OIDC Endpoint Credentials
• How to Identify and Remove Cosign Configurations from an AFS-based Virtual Host