CoSign and EZproxy

Our Library use a lot of e-Journals, and wanted to start using EZproxy to authenticate access to them. Rather than create yet anouther authentication system, we persuaded them to use CoSign instead.

EZproxy doesn't have explicit support for CoSign, but it's flexible enough to be able to do the right thing anyway. When EZproxy receives a request from an unauthenticated user, it redirects to a 'helper' URL, which performs CoSign authentication, then redirects the user back with signed ticket to prove that authentcation happened successfully.

This scheme was devised by Nick Ragusa at Brandeis University. They implemented the solution using a perl CGI script. We don't use CGI, so I translated it to PHP, and the script is here:

index.phps

This needs to be in a CoSign-protected directory (i.e. 'CoSignProtected On' is in effect).

You will need to change two values in this script:

The EZproxyBaseURL should be the URL for the EZproxy server
The EZproxySharedSecret should be the shared secret for signing tickets between the PHP helper script and EZproxy

In the EZproxy configuration you need a small amount of configuration to tell the EZproxy service how to pass things off to the handler, and how to know that the returned request is valid:

     ::CGI=https://weblogin.example.org/ezproxy/?url=^R
     ::Ticket
     TimeValid 120
     MD5 SuperSecret
     Expired; Deny expiredticket.htm
     /Ticket

You will need to change two values in this example config:

The first line should contain the URL of the CoSign authentication script.
The 'MD5' line should contain the shared secret for signing tickets between the PHP helper script and EZproxy

Steve Bennett
last updated: 22/09/2008