Guidance for the Internal Control Annual Information Assurance Certification Question

For details about the overall process and the annual certification question, see Internal Control Annual Certification Process.

Fiscal Year 2022 Question

FY22 Question

My unit has discontinued use of Cosign, an outdated single sign-on web authentication system, for unit-owned applications, or has defined plans to do so by June 2023.

Responses to FY22 Question

All units should be able to reply yes or partial to the FY22 question.

  • Yes. My unit has discontinued use of Cosign for all of our unit applications.
  • Partial. My unit has discontinued use of Cosign for some of our unit applications and has plans to discontinue use for the remaining applications by June 2023.
  • No. My unit has not discontinued use of Cosign for any unit applications and has no plans to do so by June 2023.

Guidance for Responding to the Question

Background

U-M’s Identity and Access Management modernization efforts call for discontinuing use of outdated protocols, such as Cosign, used to provide access to protected web resources at U-M.

Cosign has been the university’s secure single sign-on web authentication system for more than 20 years. Originally designed at U-M, the open source software was once widely used across higher education. Now, however, only a handful of universities still use Cosign, and the open source community that once maintained and developed it has dwindled.

How to Migrate from Cosign

Unit IT staff responsible for services currently using Cosign should:

  1. Review the information on the Shibboleth at U-M website.
  2. Use the Shibboleth Configuration Request Form to submit a request for each system that needs to be migrated from Cosign to one of the now preferred protocol options - SAML or OIDC.

If you need help with your transition efforts, please contact the ITS Identity & Access Management team (IAM) team at beyond.cosign@umich.edu.

Supporting Materials

Answers to Your Questions

Security Unit Liaisons (SULs) can send questions to info-assurance@umich.edu. Information Assurance will post answers here to any inquiries received about this year's certification question.