information technology central services at the university of michigan
Using Web-Authenticated Resources
(Weblogin Using CoSign) at U-M

S4307 • October 2006

The U-M weblogin page allows you to log in once per web session to gain access to many protected web resources. This document explains how the process protects your UMICH password and provides tips to help you keep your password and personal information private while using weblogin. The most important thing you can do to protect your privacy is to remember to logout when you have finished using protected web resources.

Table of Contents


What Is Weblogin?

Weblogin is a web page (and the software behind it) that allows you to log in once to gain access to a variety of protected U-M web resources, including Wolverine Access, mail.umich.edu, mFile, the U-M Online Directory, CTools, and more.

After logging in with your uniqname and UMICH password, you can use most of the weblogin-protected resources without having to log in again (except those that require re-authentication—see Re-Authentication below). Weblogin-protected resources are listed on the Authenticated Resources page.

IMPORTANT! To protect your privacy and personal information, be sure to logout when you have finished using these resources.

Weblogin is U-M's implementation of CoSign software. CoSign was developed at U-M. For technical information about CoSign and how it works, see the CoSign web pages.

^ Table of Contents

Logging In

There are two ways to log in using weblogin:

  • Log in to any weblogin resource (such as mail.umich.edu or Wolverine Access), and you will be directed to the weblogin page, where you can log in with your uniqname and UMICH Kerberos password.

  • Use your web browser to connect directly to the weblogin page (http://weblogin.umich.edu/), then log in with your uniqname and UMICH Kerberos password.

    Screen shot of weblogin page

You will then be automatically logged in to all weblogin resources (except those for which the service provider requires re-authentication. For example, if you log in to use mail.umich.edu and then go to mFile, you won't need to log in again.

^ Table of Contents

Logging Out

Logging in with weblogin gives you access to a large number of protected web services. To prevent unauthorized access (such as the ability to access and change your e-mail, student or staff record, directory entry, and much more) remember to log out when you are finished.
  1. Click the logout link in any U-M weblogin-protected application to log out of all U-M weblogin-protected applications.

    Screen shot of log out links in four different applications

  2. Confirm that you really do want to log out.

    Screen shot of log out confirmation

    TIP: In most web browsers, you can simply press the Return or Enter key to select the Logout option instead of clicking the button.

  3. For added security, quit your web browser after logging out.

^ Table of Contents

Re-Authentication

Required for Some Applications
Some U-M web applications and resources require re-authentication for access. This happens when the service provider requires an additional layer of security. If you use a U-M web application that requires re-authentication, you will need to authenticate with your uniqname and password immediately before using the application—even if you have already logged in using weblogin.
Required if You Change Your Location While Using Wireless
If you are using a wireless connection to the Internet and your IP address changes, you will be prompted to re-authenticate. This is likely to happen when you carry your laptop computer from one wireless location to another.
How to Re-Authenticate
You will see a web re-authentication page similar to the one shown below. (The message in red will vary depending on the reason you are being prompted to re-authenticate.) Enter your password, then click the Re-Authenticate button.

Screen shot of re-authentication page

^ Table of Contents

How Secure Is Weblogin?

You password is secure when you use weblogin -- as long as you remember to log out when you are finished. Weblogin provides Kerberos credentials from a central server when appropriate. The only place your password is ever sent is to the central weblogin service, and it is sent over SSL (Secure Socket Layer).
About SSL
SSL encryption ensures that your password cannot be stolen. Look for the "https" at the beginning of the URL and the lock icon in a corner of your browser window to let you know when SSL is being used. Some web browsers, such as Internet Explorer and Firefox, display a lock in the lower right corner. Others, such as Safari, display it in the upper right corner. Other browsers may vary in where they display the lock.

Screen shot of lock icon
About Cookies
You may notice that weblogin requires your web browser to accept a cookie. This need not concern you because weblogin uses only session cookies (cookies that expire when you quit your browser); weblogin does not use domain cookies. To ensure that all cookies related to your weblogin session expire, log out when you are finished and quit/exit your web browser.

Weblogin session cookies expire on their own after 12 hours or after 2 hours of no activity between your computer and any CoSign-protected site. Quitting your web browser causes the session cookies to expire. Logging out also makes the cookies expire, and, in addition, deletes credentials from the server. To protect the security of your online identity and data, log out when you are finished using CoSign-protected sites.

For a general definition of session cookies, see Webopedia.

For More Detail
For a technical overview of how weblogin (using CoSign) works, see the CoSign Overview page.

^ Table of Contents

Tips for Protecting Your Privacy

  • Log out. Whenever you log into something, make sure you log out when you are finished so that others cannot gain unauthorized access to your records by using your machine.

  • Check for SSL. Look for the "https" at the beginning of the web address and a lock icon in a corner of your browser window to let you know when SSL (Secure Socket Layer) is being used. You should never give your password to any site that is not using SSL encryption.

  • Use U-M passwords only with U-M services. You should never give your UMICH Kerberos password to any web server that is not at umich.edu.

  • Choose a secure password. Choose a password that is difficult to guess. See Choosing and Changing a Safe and Secure UMICH Password (R1162) for details.

  • Keep your password secret. Never tell anyone your password, not even the people who help you with computing. No reputable computer support person will ever ask you for your password. Do not write down your password and leave it where others can see it.

^ Table of Contents

Using Weblogin on Your Own U-M Web Server

CoSign software for weblogin is available on the CoSign web site.

Contact the U-M Webmaster Team for assistance or to have your weblogin-protected resource added to the list of available resources.

^ Table of Contents

Additional Resources

Visit ITCS's Information System to obtain ITCS computer documentation and other resources. A list of relevant documents follows:

We welcome your comments; please send e-mail.

ITCS's Online Help Desk provides a variety of computing help resources.

For further help using weblogin, send e-mail or phone (734) 764-HELP.

^ Table of Contents

ITCS
Information Technology Central Services at the University of Michigan

ITCS Home  |  University of Michigan