July 23, 2009: A security vulnerability exists in all versions of Cosign prior to version 3.0. COSIGN-VULN-2009-002.
Any questions or problems you have with implementing the CoSign filter may be sent to us.
About Penn State WebAccess
Penn State's Web Single Sign-On solution, Penn State WebAccess, is based on the CoSign project from the University of Michigan. Their home page for the project is here, and contains a good overview of the system, FAQ, and download links. Visit the Penn State WebAccess help page for a higher-level description of the system.
The part of the system which runs on your Web site is the CoSign filter. This filter contacts the main CoSign servers to validate login sessions and restrict access to those parts of your site you wish to protect. It does not provide any authorization (who can do what), just authentication (checks that someone trying to access your system has an active Access Account). Authorization can be done by server-side programming (CGI's, ASP, etc.), or basic directives (for Apache, examples below). On Apache, the filter is an alternative to Basic Authentication with dbm or password files.
Filters are available for Apache (1 & 2), IIS (5/6, and 7), and Tomcat servers.
CoSign strongly recommends (enforces on IIS) use of a secure (SSL/TLS) Web server to prevent outside theft of your service's cookies. It also requires use of a certificate for communication between the filter and the CoSign servers; the one you have for secure browsing can usually be used for this back-end communication (more on that later).
Basic Steps for Installing a Filter
- Download, build (if necessary), and install the filter into your system.
- Acquire a certificate and its key.
- Have your certificate registered with WebAccess support.
- Install the Certificate Authority (CA) for the CoSign server's certificate.
- Configure the filter for: Penn State's WebAccess service, your certificate and key, and designate which areas of your server need protection.
- Activate the filter.
If your Departmental website is hosted via the AIT group in ITS, contact firstname.lastname@example.org about getting WebAccess enabled for your site.
Detailed Instructions for Installing Filters
- Upgrading to Cosign v3
- Apache Filter
- Content Management Systems and Apache httpd Rewrite rules
- IIS Filters
- Java Servlets Filter (tomcat, jetty, etc.)
Features and Notes
- Multi-Realm Support (Access and FPS accounts)
- Logout Processing
- Requiring Security Tokens
- Intermediate Certificate Authorities
- Filters (protected websites) behind a Firewall
- How to list a web site on the WebAccess Services Page
- QA Test Service
- Community-contributed Notes (on Penn State Wikispaces)
- March 31, 2009: A security vulnerability has been discovered and fixed in the Cosign login page handling. COSIGN-VULN-2009-001.
- November 9, 2007: A security vulnerability has been discovered and fixed in the IISCosign filter: COSIGN-VULN-2007-003. Sites running cosign-protected Microsoft IIS web servers should immediately upgrade to IISCosign 2.0.3. (text copied from the Cosign home, weblogin.org)
- A fourth WebAccess server was added on August 29, 2007.
- The WebAccess server software was updated on Wednesday, August 8, 2007.
- A third WebAccess server was added on April 11, 2006.
- New Certificate (with new Certificate Authority) was installed on May 1, 2006. Please refer to the detailed information and instructions.