Cosign Authentication Retirement: Next steps to discontinue use by June 30, 2023

Cosign and Shibboleth logos

Information and Technology Services continues to partner with units to discontinue all use of the two-decade old Cosign Authentication service by the end of June 2023.

Cosign has been the secure, single sign-on, web authentication system in thousands of university applications and websites over the years. Proudly designed at U-M, the open source software was once widely used across higher education around the world. Now only a handful of universities still use Cosign, and it is not a suitable option for modern, cloud-based technologies.

As part of the discontinuation efforts, units attested to discontinuing or planning to discontinue use of Cosign in unit-owned applications by June 2023 as part of the U-M Annual Internal Control Certification process. The full retirement of the service will occur in October 2023 with the decommissioning of the Cosign service.

In many situations, website and application owners may choose to remove authentication altogether or replace Cosign with Shibboleth. Shibboleth is a more modern, flexible, and supportable alternative. Learn more about Shibboleth.

Exceptions to be removed monthly for inactive applications

In May 2022, all applications using the authentication service were required to have an exception to continue to run Cosign. To continue to limit Cosign use, exceptions will be removed monthly for applications with fewer than 20 logins during the prior 90 days.

Exceptions will be removed monthly on the following dates: February 27, March 27, April 24, May 29, and June 26.

When an exception is removed, users will no longer be able to sign into your application. To continue to receive your exception for a limited time, please be sure your application has recent log-on activity. If the exception is removed, you may request it to be temporarily reinstated by submitting a ticket to the ITS Service Center.

A list of all applications using Cosign is shared with the Strategic Technology Advisory Committee (STAC) and the U-M Security Community. Please work with your unit’s contact on these groups to learn more.

Upcoming maintenance for Shibboleth

Additionally, ITS continues to reduce its own reliance on Cosign. To accomplish this, ITS will be performing some behind-the-scenes maintenance on Shibboleth on March 18. More information and testing opportunities will be provided on the Cosign Retirement page.

Ready-to-use resources & support labs

Visit the Cosign at U-M webpage to view a retirement resource kit that contains sample codes, drop-in support lab schedule, and more. Additionally, members of the project team can be invited to meet with you and others to discuss the transition for your unit specifically.