Using CoSign on the Central Web Service

The instructions in this page will help you to use CoSign functionality on a server that already has CoSign installed and configured.

If you want to use CoSign from within a PHP webapp, you should read the instructions on using CoSign with PHP.

If you want to learn how to install and configure CoSign, you should read the instructions on installing CoSign.

What is CoSign

CoSign is the Web Single Sign-On operated by ISS for use on central and departmental web servers and applications. Where possible, CoSign authenticates users (i.e. proves their identity) based on their existing credentials, so that no additional password prompts are necessary. Where this is not possible, either because there are no existing credentials, or because the browser is unable to pass them securely, the user will be prompted for his or her password just once per browser session, and the password will always be sent over a secure connection.

CoSign Web applications do not need to handle users' passwords; they are simply notified of the user's identity.

CoSign has been tested with a wide variety of browsers and operating systems, and is believed to operate correctly and securely in all circumstances.

How to use CoSign on the Central Web Service

Enabling CoSign Access Control

At its simplest, you can protect a folder on the central web service by adding the following directive to a .htaccess file:

CosignProtected On

This tells CoSign to protect the content in the directory that contains the .htaccess file, and all its subdirectories.
All users will be required to authenticate (i.e. log in via CoSign), but any successful authentication will be sufficient to permit access to the content.
In most cases you will also want to restrict access to content to authorized users and groups.

Restricting access to Internal Users

If you wish to ensure that users have authenticated with a particular type of credential (like a University username, rather than a CoSign 'Friend' username. you can use the CosignRequireFactor directive.

CosignProtected On
CosignRequireFactor LANCS.LOCAL

Granting access by Username

The previous example doesn't do any checking of who is allowed to access the content.
To do that, you need to specify the users that are authorized.
The following example would authorize access for users 'bert', 'ernie' and 'kermit'.

CosignProtected On
AuthType CoSign
Require User bert ernie kermit

Granting access by Group

Alternatively, you can specify the groups of users that are authorized.
The following example would authorize access for all members of the group 'Sesame_Street:

CosignProtected On
AuthType CoSign
Require Group Sesame_Street

Granting access to External Users

If the users that you want to permit access to do not have Lancaster University usernames, you can give them access by email address by using the CoSign 'Friend' system. They'll need to register their email address and choose a password. Once registered, you can grant access in a similar way to local users:

CosignProtected On
AuthType CoSign
Require User

'Friend' users cannot be group members; you have to list them individually.

Limiting CoSign access control to specific files

Sometimes you want to use access controls on some files, and leave other files accessible to all users. One way of doing this is to put the access controlled files into a subdirectory, and configure CoSign just on that directory.

Another way is to use the Apache <files> directive to limit the scope of the Cosign protection. For example, the following only allows members of group 'A' to access the file "restricted.html"; other files are unaffected.

<Files "restricted.html">
CosignProtected On
AuthType CoSign
Require Group A

Steve Bennett
last updated: 12/11/2010