For details about the overall process and the annual certification question, see Internal Control Annual Certification Process.
Fiscal Year 2022 Question
My unit has discontinued use of Cosign, an outdated single sign-on web authentication system, for unit-owned applications, or has defined plans to do so by June 2023.
Responses to FY22 Question
All units should be able to reply yes or partial to the FY22 question.
- Yes. My unit has discontinued use of Cosign for all of our unit applications.
- Partial. My unit has discontinued use of Cosign for some of our unit applications and has plans to discontinue use for the remaining applications by June 2023.
- No. My unit has not discontinued use of Cosign for any unit applications and has no plans to do so by June 2023.
Guidance for Responding to the Question
U-M’s Identity and Access Management modernization efforts call for discontinuing use of outdated protocols, such as Cosign, used to provide access to protected web resources at U-M.
Cosign has been the university’s secure single sign-on web authentication system for more than 20 years. Originally designed at U-M, the open source software was once widely used across higher education. Now, however, only a handful of universities still use Cosign, and the open source community that once maintained and developed it has dwindled.
How to Migrate from Cosign
Unit IT staff responsible for services currently using Cosign should:
- Review the information on the Shibboleth at U-M website.
- Use the Shibboleth Configuration Request Form to submit a request for each system that needs to be migrated from Cosign to one of the now preferred protocol options - SAML or OIDC.
If you need help with your transition efforts, please contact the ITS Identity & Access Management team (IAM) team at firstname.lastname@example.org.
- Planning a move away from Cosign
- Getting started with Shibboleth
- Shibboleth protocol options
- Access, Authorization, and Authentication Management (DS-22).