Penn State WebAccess: Documentation for Web Developers/Overview

Special Announcement

July 23, 2009: A security vulnerability exists in all versions of Cosign prior to version 3.0. COSIGN-VULN-2009-002.

Overview

Any questions or problems you may have with the filter can be sent to us via email.

About Penn State WebAccess

Penn State's Web Single Sign-On solution, Penn State WebAccess, is based on the CoSign project from the University of Michigan. Their home page for the project is here, and contains a good overview of the system, FAQ, and download links. Visit the Penn State WebAccess help page for a higher-level description of the system.

The part of the system which runs on your Web site is the CoSign filter. This filter contacts the main CoSign servers to validate login sessions and restrict access to those parts of your site you wish to protect. It does not provide any authorization (who can do what), just authentication (checks that someone trying to access your system has an active Access Account). Authorization can be done by server-side programming (CGI's, ASP, etc.), or basic directives (for Apache, examples below). On Apache, the filter is an alternative to Basic Authentication with dbm or password files.

Filters are available for Apache (1 & 2), IIS (5/6, and 7), and Tomcat servers.

CoSign strongly recommends (enforces on IIS) use of a secure (SSL/TLS) Web server to prevent outside theft of your service's cookies. It also requires use of a certificate for communication between the filter and the CoSign servers; the one you have for secure browsing can usually be used for this back-end communication (more on that later).

Basic Steps for Installing a Filter

Download, build (if necessary), and install the filter into your system.
Acquire a certificate and its key.
Have your certificate registered with WebAccess support.
Install the Certificate Authority (CA) for the CoSign server's certificate.
Configure the filter for: Penn State's WebAccess service, your certificate and key, and designate which areas of your server need protection.
Activate the filter.

If your Departmental Web site is hosted via the ASET group in ITS, contact root@aset.psu.edu about getting WebAccess enabled for your site.

Detailed Instructions for Installing Filters

Past Notices

March 31, 2009: A security vulnerability has been discovered and fixed in the Cosign login page handling. COSIGN-VULN-2009-001.
November 9, 2007: A security vulnerability has been discovered and fixed in the IISCosign filter: COSIGN-VULN-2007-003. Sites running cosign-protected Microsoft IIS web servers should immediately upgrade to IISCosign 2.0.3. (text copied from the Cosign home, weblogin.org)
A fourth WebAccess server was added on August 29, 2007. Please refer to the status and information page for details.
The WebAccess server software was updated on Wednesday, August 8, 2007. Additional information and status.
A third WebAccess server was added on April 11, 2006. Please refer to the status and information page for details.
New Certificate (with new Certificate Authority) was installed on May 1, 2006. Please refer to the detailed information and instructions.

The Pennsylvania State University ©2009. All rights reserved.
Alternative Media - Nondiscrimination Statement
This site maintained by Academic Services and Emerging Technologies, a unit of Information Technology Services.

For assistance please write to helpdesk@psu.edu or see our Help Sources.

Last revised: Thursday, July 23, 2009.