Identify and Remove Cosign Configurations from an AFS-based Virtual Host

Environment

Cosign, AFS

Issue

The Cosign single sign-on service will be retired soon, so if your site is currently configured to use cosign for authentication, you will need to update your site configuration to use OpenID Connect (OIDC) instead. 

Resolution

There are a number of things to look for in your site code/configuration which you will need to review and remove prior to updating to use OIDC if they are related to cosign.

Look for these things, remove them if you find them:

  1. .htaccess file: cosign, mod_authnz_ldap directives

Locate all .htaccess files in your application directories.  Look for all "cosign" directives and "mod_authnz_ldap" directives and remove those configurations.  For example:

cd {{doc_root}}
find . -name ".htaccess" -exec /usr/bin/egrep -il "cosign|authldap" {} \;

The relevant directives for each of these modules can be found here:

  1. WordPress:  CMS HTTP auth plugins

If your site is a WordPress site, you may have installed the http-authentication plugin to use with Cosign, as described in KB article #3841, "Install WordPress CMS in an AFS-Based Virtual Host".  You will need to disable and remove this plugin from your site.

  1. Drupal:  CMS cosign module

If your site is a Drupal 7 site, you may have installed the cosign Drupal 7 module to use with Cosign.  You will need to disable and remove this module from your site.

There may be other Cosign-related Drupal modules that have been made available in the past (possibly developed internal or external to U-M) as well.  If you are using another module, you will likely want to remove it from your site.  For example, this cosign-drupal8 module was found in a recent Internet search.  There does appear to have been an alpha release of the cosign module for Drupal 8+ as well, so you may look for that if applicable to your site also.  Any cosign-related module in your Drupal instance should be disabled and removed.

When you are done, contact webmaster@umich.edu and ask us to remove cosign from your websites’ Apache configuration.

Additional Information

Need additional information or assistance? Contact the ITS Service Center.