Cosign retirement success

Originally designed at U-M more than twenty years ago, Cosign was once widely used across higher education. The degree to which U-M had integrated Cosign into countless applications was a testament to its success. However, the user base dwindled at U-M and across higher ed as institutions transitioned to more modern authentication protocols (OIDC and SAML). At U-M we now use Shibboleth.

Over the past year, Identity and Access Management (IAM) has partnered with units across all U-M campuses and with colleagues in ITS to discontinue use of Cosign. “Cosign retirement is a significant milestone that improves the security posture of the university and paves the way for the implementation of advanced IAM functionality in the future,” said DePriest Dockins, director of Identity and Access Management. “I understand this change was not without its challenges, and I am grateful to our campus partners for their invaluable support in helping us achieve our goal.”

A key stepping stone was implemented in May, 2023, when the IAM team updated Shibboleth to perform both authentication and authorization without reliance on Cosign. This was a fundamental change that required significant planning and testing. Additionally, the U-M Weblogin logout screen was updated to reflect best practices when logging out of Shibboleth-protected services. 

Although thousands of sites had transitioned off Cosign gradually over the past several years, there were still 900 Cosign integrations at the start of 2022. Today there are fewer than ten that will soon be transitioned to new protocols. The retirement of Cosign involved many system changes by both ITS and units, which were accomplished without any unanticipated outages or disruptions to university business functions.For a summary of activities and resources that supported the Cosign Retirement, visit Cosign at U-M.

Cosign and Shibboleth icons