Pilot service for Yubikey two-factor authentication

November 10, 2015

Some background: what’s Cosign, and how does it work?

Filed under: Pilot service for Yubikey two-factor authentication — idurkacz @ 11:36 am

Cosign – see http://weblogin.org – is “an open source project originally designed to provide the University of Michigan with a secure single sign-on web authentication system.”

From the point of view of a user, a first visit to a Cosign-protected website results in redirection to an institutional authentication server which requests username and password via an HTTPS web form. Once authenticated, the user is then redirected back to the Cosign-protected website where – internal website authorization permitting – they can access content and resources, all mediated by the corresponding Cosign filter. Visits to further Cosign-protected websites then proceed transparently, using authentication cookies delivered via the initial visit to the institutional authentication server: that’s the ‘single sign-on’ in action.

In fact, the ‘single sign-on’ can work even better than that. Since the underlying authentication protocol is assumed to be Kerberos, a web browser which is capable of using SPNEGO (also known as ‘HTTP Negotiate Auth’ – see for example both RFC4559, and Microsoft’s HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol documentation) is able to use a user’s existing Kerberos tickets for the initial authentication sequence. The result in that case is that, provided the user has already authenticated via Kerberos, his/her subsequent access to institutional Cosign-protected websites is completely transparent.

Official Cosign documentation is unfortunately rather scattered. For a pictorial view of the authentication process, see the overview diagram at Cosign’s home website.

I might also mention that documentation pertaining to Informatics-specific local Cosign modifications is also rather scattered … but more on that later!

Theme: Rubric.