You are here


What is Cosign?

Cosign is a single sign-on (SSO) web login technology developed at the University of Michigan. It uses a centralised sign-on mechanism to authenticate users: for Informatics users, this means authenticating to web sites using your Kerberos principal.

Cosign uses login and service cookies to manage the authorization for a cosign-protected website. More detailed information about the design of Cosign can be found on the Cosign website.

Many websites in Informatics use Cosign authentication for protected or restricted-access pages.

How do I use Cosign/

When you visit an Informatics website that's Cosign protected, you'll be redirected to for authentication. If you're using Firefox on a DICE machine, authentication will happen automatically - using your existing Kerberos credentials - and you'll then be returned to the Cosign-protected site.

For other web browsers and operating systems, you'll be prompted for your Informatics username and password, and then returned to the originating Cosign-protected site on successful authentication.

Cosign should work from all web browsers, providing javascript is enabled. Please let us know if it doesn't work for you.

The Microsoft Edge browser will pop up a Windows Security box (pictured here). You should dismiss this box then type your DICE username and password directly in the weblogin web page.

To help us maintain the security of our systems you should regularly review the logs for your recent Cosign login activity.

Cosign and SPNEGO

Our Cosign service supports SPNEGO 'Integrated Authentication' on selected browsers. This allows Kerberos-capable machines to authenticate to Cosign without the user having to enter their credentials by hand. No configuration is required on the server side to take advantage of this, but see Cosign and SPNEGO for the browser configuration required.

Using Cosign to restrict access - example

The groups and homepages web servers are configured to use Cosign so, should you want to, you can use the facility to restrict access to your pages to particular DICE users (or groups of users).

Example: create an .htaccess file containing the following:

CosignProtected On
AuthType Cosign
CosignRequireFactor INF.ED.AC.UK
Require user alice bob

Now, only users 'alice' and 'bob' are authorised to see the contents of the https:// URL which references that .htaccess file, . If you don't mind who, just as long as it is someone who can Cosign authenticate, then use:

CosignProtected On
AuthType Cosign
CosignRequireFactor INF.ED.AC.UK
Require valid-user

The use of CosignRequireFactor INF.ED.AC.UK limits users to the INF.ED.AC.UK Kerberos domain (currently the only supported domain).

(Note that, if anyone visits the corresponding http:// URL, they will receive a "401-Authorization Required" message - or a similar message, depending on the exact configuration of the web server - in their browser.)

Last reviewed: 

System Status

Home dirs (AFS)
Other services
University services
Scheduled downtime

Choose a topic