View All Resources

CoSign Troubleshooting

Apache Error messages

503 Service Temporarily Unavailable is universally displayed when CoSign fails. This can be for multiple reasons, including:

  • the wrong permissions on the filter directory
  • incorrect path
  • CoSign service is down/unreachable
  • misspelled/missing CoSign configuration options

To resolve to the issue, check the Apache logfiles. If the problems persists, contact your LSP.

Certificate Expiration

Please be advised that when registering your application through the CSPA, the expiration of the certificate cannot be set greater than October 20, 2018. This date is the expiration of the CA certificate.

CoSign supports Single Sign On (SSO) login

  • CoSign supports SSO for web applications requiring authentication with a user’s PennKey and password (passphrase)
  • Once authenticated, users can access resources for which they are authorized without being prompted to authenticate again
  • CoSign provides a better user experience and enhanced security through preventing compromise of the entire system if single user session is compromised (single entry of password once per session in one location)
  • Centrally managed credentials and sessions

CoSign SSO Impact on application system administrators

  • Applications can authenticate users application by application (unique CoSign instance for each application), or by “grouping” applications (for a single CoSign point of entry)
  • Applications can “opt out” of SSO by requiring re-authentication each time user accesses the application. When registering the application through CSPA, make certain the option to require re-authentication is checked.

CoSign uses two types of cookies

  • CoSign sets a cookie for a user's central SSO session. This cookie does not belong to the web application; it belongs to the central weblogin.pennkey.upenn.edu servers. This is called the login cookie and it contains the login token.
  • CoSign also uses application-specific cookies for each web service. These cookies are called service cookies and they contain service tokens.

CoSign will set a cookie for each service

  • One login cookie (a single SSO session) may generate many session cookies
  • CoSign login cookies last 10 hours; CoSign session cookies last as long as the corresponding login cookie
  • If a login cookie expires (or is terminated by a user logging out of the central weblogin.pennkey.upenn.edu server), all session tokens issued against that login token are destroyed; this does not remove the cookies from a users' browser, but the underlying tokens have become invalid
  • CoSign login and session cookies are detroyed if the user closes the browser, but this does not affect the validity of the tokens themselves (i.e. users should use central logout to terminate their sessions)
  • Web applications validate the cookies' token values out-of-band (over SSL-protected connections for enhanced security)
  • When a web application has no session cookie, it redirects to weblogin.pennkey.upenn.edu in order to issue a new session token; it redirects to the web application, which validates the token through the out-of-band channel and issues a new cookie containing that token

 

If local firewalls are deployed, you will need to allow CoSign to use port 6663
 

Compiling CoSign on hosts with multiple/alternate Apache 2 prefixes

  • prior to the configure/make of Cosign:
    • export CFLAGS="-I<full path to apache prefix include directory> `<full path to apache prefix apr-config binary> --cppflags --cflags`"
    • ./configure <configure options> --enable-apache2=<full path to apache prefix apxs binary>
    • make ...