ITS Information Assurance is requiring that all university websites, including websites hosted through ITS Web Hosting, discontinue using Cosign by June 30, 2023.
ITS Web Hosting strongly recommends that websites using Cosign switch to using OpenID Connect (OIDC) for website authentication and use it at the web application (or website) level and not at the web server level. Performing authentication in the web application rather than the web server gives the web app more control of the authentication process. This webpage provides instructions for updating websites to use OIDC at the web application level. Web server level authentication using mod_auth_openidc to set the REMOTE_USER environment variable is available for web applications in special situations. If you need to set up your authentication at the web server level please contact the ITS Web Hosting team by filling out the ITS Web Hosting Upgrade Form.
To determine if your website is using Cosign, review the status of your website by going to AFS Unit Websites Dashboard.
Note: While ITS maintains the infrastructure of websites, it is the responsibility of the website owner to make updates to their site.
Prerequisites to migrate your website Cosign to use OIDC for authentication:
- Use either PHP 7.3 or PHP 8.1. If you are on a version of PHP that is earlier than 7.3, please see Upgrade PHP.
- If your website uses any HTTP, please see Migrate to HTTPS.
- Be on the latest version of WordPress, Drupal 9, Drupal 7, or other Content Management System. If your website is using an old version, please see Upgrade CMS.
What you need to do if you are migrating to OIDC
Step 1: Get Started - Website Owner
- Determine if you will need to test your changes before you apply them to your production site. To ensure a smooth transition of changes to your production environment with minimal downtime, it is recommended that you use a test environment.
- If you need a test environment or you have a test environment that is not an up-to-date clone of your production environment and need help, fill out an ITS WebHosting Upgrade Form to notify the ITS Web Hosting team that you will be migrating off of Cosign and to ask for a temporary test environment setup if needed.
- If you already have a test environment that is a recent clone of your production website, skip to step 3.
- If you will not be using a test environment and intend to make changes directly to the production website, skip to step 6.
Step 2: Set up New Test Environment - ITS
- The ITS Web Hosting Hosting team will set up a test environment that will be a clone of your production website.
- ITS will notify the website owner when the test environment is ready by updating the ticket.
Step 3: Upgrade to OIDC in Test Environment - Website Owner
- Make notes of all changes that you make, as you will need to repeat these same steps for your production environment in step 6.
- Configure your web app for OIDC in your test environment:
- Update the original ticket or fill out a new ITS WebHosting Upgrade Form to notify the ITS Web Hosting team to remove Cosign support for your website from Web Server Configuration in the Test Environment.
Step 4: Remove Cosign Support in the Test Environment - ITS
- ITS will remove Cosign support for the website from the Web Server Configuration in the test environment.
- ITS will notify the website owner when the website can be tested using OIDC for Authentication in the test environment.
Step 5: Test OIDC in Test Environment - Website Owner
- Test OIDC authentication in the Test environment.
- Troubleshoot and fix if needed.
- Update the ticket to say that you have finished testing in the Test environment and will start configuring your Production Website for OIDC.
Step 6: Upgrade to OIDC in Production Environment - Website Owner
- Follow the notes you made in steps 3 and 5 to configure your web app for OIDC in the production environment.
- Note: you won’t be able to use the same OIDC credentials that you obtained for your test environment, you will need to obtain a second set of OIDC credentials for use with your production website.
- Update the ticket to notify the ITS Web Hosting team to remove Cosign support for your website from Web Server Configuration to test in the production environment.
Step 7: Remove Cosign Support in the Production Environment - ITS
- ITS will remove Cosign Support for the website from the Web Server Configuration in the production environment.
- ITS will notify the website owner when the website can be tested using OIDC for Authentication in the production environment.
Step 8: Test OIDC in Production Environment - Website Owner
- Test OIDC authentication in the production environment.
- Troubleshoot and fix if needed.
- Update the ticket to notify the ITS Web Hosting team that the website has been migrated off of Cosign and the test environment can be removed.
Step 9: Remove the Test environment - ITS
- ITS removes the website test environment.
- ITS closes the ticket.
Cosign Support Documentation
WordPress
- New WordPress websites
- UMich OIDC Login plugin: Configure WordPress Site to Restrict Access Using OIDC Logins and MCommunity Groups
- Alternative:
OpenID Connect Generic Client plugin: Install and Configure OpenID Connect (OIDC) Client for WordPress
- Migrating existing WordPress website to use OIDC
Drupal 7
- New Drupal 7 website setup to authenticate using OIDC
- Migrating existing Drupal 7 website to use OIDC
- Configure Drupal 7 website to restrict access to pages using MCommunity groups
Drupal 9
- New Drupal 9 website setup to authenticate using OIDC
- Migrating existing Drupal 9 website to use OIDC
- Configure Drupal 9 website to restrict access to pages using MCommunity groups