Transition from Cosign to Shibboleth Authentication

Cosign and Shibboleth logos

The ITS Identity & Access Management team (IAM) has finalized plans to reach key milestones that will remove dependencies on the Cosign authentication service by summer 2022.

Cosign has been the university’s secure, single sign-on, web authentication system for more than 20 years. Originally designed at U-M, the open source software was once widely used across higher education. Now only a handful of universities still use Cosign, and the open source community that once maintained and developed it has dwindled.

Shibboleth authentication, already in use across U-M, will replace Cosign and can be installed now. Shibboleth at U-M can be set up to use either Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), two industry standard protocols. IAM recommends OIDC for applications that do not allow federation-enabled logins by members of InCommon-member institutions. OIDC allows for simple installation via configurable extensions or plugins.

Since ITS began preparing for the retirement of Cosign three years ago, the number of U-M applications using Cosign has decreased from 1,600 to less than 600. Although ITS can identify traffic from applications using Cosign, it cannot identify the specific applications or departments that own them. To provide support to units that need to switch to Shibboleth, ITS will send broad email communications to applicable groups and offer drop-in support labs via Zoom.

Key milestones in this transition process are:

  • May 7, 2022: Units will no longer be able to use the self-service options for installing Cosign with new applications.
  • July 16-August 15, 2022: Currently, Shibboleth uses Cosign for the actual authentication prompt. This relationship will be reversed so that Cosign will use Shibboleth for the authentication prompt. Shibboleth will not rely on Cosign going forward.
  • August 15-TBD: Cosign will continue to work while the IAM team works with units to ensure a smooth transition away from Cosign.
  • June 2023: Units discontinue use of Cosign.

This effort directly supports the requirement for units to discontinue their use of Cosign, or have defined plans to do so by June 2023, as outlined in the FY22 Internal Controls certification process in the area of information assurance.

Questions? Send email to beyond.cosign@umich.edu.