Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
ISC Networking & Telecommunications

Penn WebLogin
Help
Application Development
WebLogin Management Console
Screen Guidance
Documentation
Sign up for Announcements
Quick Links
Initiate a session
Terminate a session
Related topics
WebLogin vs Shibboleth

User Guide
About WebLogin
WebLogin screens
Logout posters
Verify WebLogin Page

Two-Step Verification
Two-Step Home
FAQ
Authenticator Apps
Video Guides
Information for LSPs

mod_cosign Directives

Following are Apache configuration directives recognized by mod_cosign, their default values and the context within the Apache configuration structure where they can be used.

Directive and Syntax Description Default Value Server config context
CosignHostname fully-qualified-domain-name The name of the host running cosignd Default: cosign.example.edu
Use: weblogin.pennkey.upenn.edu
VirtualHost, Location, Directory
CosignPort integer The port on which Cosign listens for authentication requests. Default: 6663 VirtualHost, Location, Directory
CosignService service name The name of the Cosign service cookie. Default: None VirtualHost, Location, Directory
CosignRedirect URL The URL of the Cosign login CGI. Default: None
Use: https://weblogin.pennkey.upenn.edu/login
VirtualHost, Location, Directory
CosignPostErrorRedirect URL The URL to which a user is redirected to if an error is encountered during a POST to the login CGI. This screen informs the user that their data has been dropped. Default: None
Use: https://weblogin.pennkey.upenn.edu/post_error.html
VirtualHost, Location, Directory
CosignValidReference regex A regular expression matching valid service URLs. The administrator uses this directive to ensure users will be redirected to a safe URL following cookie validation. Default: None VirtualHost, Location
CosignValidationErrorRedirect URL The URL to which a user is redirected if the service URL does not match the regular expression from CosignValidReference, or if mod_cosign cannot validate the service cookie passed from the CGI. Default: None
Use: https://weblogin.pennkey.upenn.edu/validation_error.html
VirtualHost, Location
CosignRequireFactor Factor1 [Factor2...FactorN] A list of the factors that must be satisfied by the user. Default: None
Use: UPENN.EDU
VirtualHost, Location, Directory, .htaccess
CosignFactorSuffix FactorsSuffix An optional factor suffix to be used when testing for compliance. Default: None VirtualHost, Location, Directory
CosignFactorSuffixIgnore On|Off Toggle whether the value of CosignFactorSuffix is ignored. Default: Off VirtualHost, Location, Directory
CosignFilterDB Path The path to the Cosign filter database. Default: /var/cosign/filter VirtualHost
CosignProxyDB Path The path to the Cosign proxy database. Default: /var/cosign/proxy VirtualHost
CosignFilterHashLength 0|1|2 The subdirectory hash length for the Cosign filter database. Default: 0 VirtualHost
CosignTicketPrefix Path The path to the Kerberos ticket store. Default: /ticket VirtualHost
CosignProtected On|Off Toggles whether Cosign will protect the directory or location. Default: On VirtualHost, Location, Directory, .htaccess
CosignSiteEntry URL The URL to which the user is redirected after login. Default: None VirtualHost, Location, Directory
CosignAllowPublicAccess On|Off Toggles whether authentication is optional for protected sites. Default: Off VirtualHost, Location, Directory
CosignHttpOnly On|Off Toggles whether the module can be used without SSL. Enabling this directive is not recommended. Default: Off VirtualHost, Location, Directory
CosignCrypto key-file cert-file ca-directory Paths to the SSL key file, certificate file, and CA directory. Default: /var/cosign/certs/key.pem /var/cosign/certs/cert.pem /var/cosign/certs/CA VirtualHost, Location, Directory
CosignCookieExpireTime time-in-seconds Assigns the expiration time, in seconds, for authentication cookies. Default: 86400 (24 hours) VirtualHost
CosignGetProxyCookies On|Off Toggles whether module proxy cookies will be requested from cosignd. Default: Off VirtualHost, Location, Directory
CosignGetProxyKerberosTickets On|Off Toggles whether the value of "tgt" will be requested from cosignd. Default: Off VirtualHost, Location, Directory
CosignGetProxyKerberosSetupGSS On|Off Toggles whether the enviornment will be set up such that other Apache modules that require GSSAPI or Kerberos will work, such as IMP running under mod_php. Default: Off VirtualHost, Location, Directory
CosignCheckIP never|initial|always Toggles whether the browser's IP is verified against cosignd's IP information. Default: initial VirtualHost
CosignAllowValidationRedirect On|Off Catches mismatches of current hostname and destination URL hostname. If CosignAllowValidationRedirect is On, and the destination URL matches CosignValidReference, mod_cosign will construct a new validation URL and forward the request to the destination URL's hostname. Default: Off VirtualHost, Location
CosignAuthenticationLifetime integer This feature allows a service to demand re-authentication when the time of last authentication on weblogin.pennkey.upenn.edu has become too old. Default: None VirtualHost, Location, Directory, .htaccess

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania