Using Web-Authenticated Resources (Weblogin Using CoSign) at U-M

The U-M Weblogin page allows you to log in once per web session to gain access to many protected web resources. This document explains how the process protects your UMICH password and provides tips to help you keep your password and personal information private while using Weblogin. The most important thing you can do to protect your privacy is to remember to log out when you have finished using protected web resources.

What Is Weblogin?

Weblogin is a web page (and the software behind it) that allows you to log in once to gain access to a variety of protected U-M web resources, including Wolverine Access, AFS, the MCommunity Directory, CTools, and more.

After logging in with your uniqname and UMICH password, you can use most of the Weblogin-protected resources without having to log in again (except those that require re-authentication—see Re-Authentication below). Weblogin-protected resources are listed on the Authenticated Resources page.

Important! To protect your privacy and personal information, be sure to log out when you have finished using these resources.

Weblogin is U-M's implementation of Cosign software. Cosign was developed at U-M. For technical information about Cosign and how it works, see the Cosign web pages.

Logging In

There are two ways to log in using Weblogin:

• Log in to any Weblogin resource (such as the MCommunity Directory or Wolverine Access), and you will be directed to the Weblogin page, where you can log in with your uniqname and UMICH password.

• Use your web browser to connect directly to the Weblogin page, then log in with your uniqname and UMICH password.

You will then be automatically logged in to all Weblogin resources (except those for which the service provider requires re-authentication. For example, if you log in to use Wolverine Access and then go to AFS, you will not need to log in again.

Logging Out

Logging in with Weblogin gives you access to a large number of protected web services. To prevent unauthorized access (such as the ability to access and change your email student or staff record, MCommunity Directory profile and much more) remember to log out when you are finished.

Click the logout link in any U-M Weblogin-protected application to log out of all U-M Weblogin-protected applications. For added security, close, quit, or exit your web browser after logging out.

Re-Authentication

Required for Some Applications

Some university web applications and resources require re-authentication for access. This happens when the service provider requires an additional layer of security. If you use a U-M web application that requires re-authentication, you will need to authenticate with your uniqname and password immediately before using the application—even if you have already logged in using Weblogin.

If you use two-factor authentication (Duo), you will not need to repeat your two-factor authentication when you re-authenticate.

Required if You Change Your Location While Using Wireless

If you are using a wireless connection to the Internet and your IP address changes, you will be prompted to re-authenticate. This is likely to happen when you carry your laptop computer from one wireless location to another.

How to Re-Authenticate

You will see the Weblogin page. There will be text telling you to re-authenticate. Check that the URL/web address begins with https://weblogin.umich.edu/ to verify that you are on the real Weblogin page. Then enter your uniqname and password, then click the Re-Authenticate button.

How Secure Is Weblogin?

You password is secure when you use Weblogin—as long as you remember to log out when you are finished. Weblogin provides Kerberos credentials from a central server when appropriate. The only place your password is ever sent is to the central Weblogin service, and it is sent over SSL (Secure Socket Layer).

About SSL

SSL encryption ensures that your password cannot be stolen. Look for the "https" at the beginning of the URL and the lock icon in your address bar to let you know when SSL is being used. Some web browsers, such as Firefox, Chrome and Safari display a lock to the left of the URL. Others, such as Internet Explorer, display it in the far right side of the address bar. Other browsers may vary in where they display the lock.

About Cookies

You may notice that Weblogin requires your web browser to accept a cookie. This need not concern you because Weblogin uses only session cookies (cookies that expire when you quit your browser); Weblogin does not use domain cookies. To ensure that all cookies related to your Weblogin session expire, log out when you are finished and quit/exit your web browser.

Weblogin session cookies expire on their own after 12 hours or after 2 hours of no activity between your computer and any Cosign-protected site. Quitting your web browser causes the session cookies to expire. Logging out also makes the cookies expire, and, in addition, deletes credentials from the server. To protect the security of your online identity and data, log out when you are finished using Cosign-protected sites.

For a general definition of session cookies, see Webopedia.

For More Detail

For a technical overview of how Weblogin (using Cosign) works, see the Cosign Overview page.

Tips for Protecting Your Privacy

Using Weblogin on Your Own U-M Web Server

Cosign software for Weblogin is available on the Cosign website.

Contact the ITS Service Center for assistance or to have your Weblogin-protected resource added to the list of available resources.