The instructions in this page will help you to use CoSign functionality on a server that already has CoSign installed and configured.
If you want to use CoSign from within a PHP webapp, you should read the instructions on using CoSign with PHP.
If you want to learn how to install and configure CoSign, you should read the instructions on installing CoSign.
CoSign is the Web Single Sign-On operated by ISS for use on central and departmental web servers and applications. Where possible, CoSign authenticates users (i.e. proves their identity) based on their existing credentials, so that no additional password prompts are necessary. Where this is not possible, either because there are no existing credentials, or because the browser is unable to pass them securely, the user will be prompted for his or her password just once per browser session, and the password will always be sent over a secure connection.
CoSign Web applications do not need to handle users' passwords; they are simply notified of the user's identity.
CoSign has been tested with a wide variety of browsers and operating systems, and is believed to operate correctly and securely in all circumstances.
At its simplest, you can protect a folder on the central web service by adding the following directives to a .htaccess file:
The first line tells the webserver to use Cosign,
the next line enables CoSign protection,
and the third line means that any valid username is sufficient.
The settings apply to
the directory that contains the .htaccess file,
and all its subdirectories.
All users will be required to authenticate (i.e. log in via CoSign),
but any successful authentication will be sufficient
to permit access to the content.
In most cases you will also want to restrict access to content
to authorized users and groups.
If you wish to ensure that users have authenticated with a particular type of credential (like a University username, rather than a CoSign 'Friend' username. you can use the CosignRequireFactor directive.
The previous example doesn't do any checking of who
is allowed to access the content.
To do that, you need to specify the users that are authorized.
The following example would authorize access
for users 'bert', 'ernie' and 'kermit'.
Alternatively, you can specify the groups of users that are authorized.
The following example would authorize access for all members of the
group 'Sesame_Street:
If the users that you want to permit access to do not have Lancaster University usernames, you can give them access by email address by using the CoSign 'Friend' system. They'll need to register their email address and choose a password. Once registered, you can grant access in a similar way to local users:
'Friend' users cannot be group members; you have to list them individually.
Sometimes you want to use access controls on some files, and leave other files accessible to all users. One way of doing this is to put the access controlled files into a subdirectory, and configure CoSign just on that directory.
Another way is to use the Apache <files> directive to limit the scope of the Cosign protection. For example, the following only allows members of group 'A' to access the file "restricted.html"; other files are unaffected.