NetDocuments provides a variety of advanced authentication options such as Digital Certificates and IP address to control and restrict access to the repository. This page is accessed from the Repository Administration menu.
Go to Add and Remove Users and Groups > then Configure advanced authentication options, as shown here:
After clicking this link, you will come to this page:
You will see two sections on this page:
Authentication Requirements – requires users to login via Automated Login, Digitial Certificate-based login, or by IP address. Learn more about automated login options
Federated Identity - allows users to log in to NetDocuments via an identity provider, such as WAAD or ADFS:
To setup your Advanced Authentication, click the link that says, Add another requirement. It will then appear as shown below.
In the example above, we have clicked the link 3 times to show how you can add more than one requirement. Multiple requirements use an OR logic. This means that when a user first attempts to access the repository, NetDocuments will use the first requirement that is displayed. If that requirement is not met, then NetDocuments will move on to the next one.
You will notice that you can define authentication based on IP Address(es), OR you can use Automated Login, OR you can use Digital Certificate. Access to your NetDocuments Repository is not allowed when methods other than these are used. You will also be able to restrict the Digital Certificate option to only allow usage of certificates from issuers that you specify.
NOTE: The advanced authentication requirements outlined above will apply to all users of the repository - both Internal and External Users. Requirements defined with federated identity will apply to all users of a single domain (i.e. @lawfirm.com) which must be registered with NetDocuments in order to use federated identity. There is NOT a way to require two-factor authentication for only external users or ONLY internal users.
NOTE: If you want to delete a requirement, click the link on the right side. Be careful you don't set a criteria that will lock you and your users out. If you do this accidentally, submit a support ticket at https://support.netdocuments.com.
Note: Because the API authentication tokens are placed in the registry and are valid for 12 months, IP address restrictions may not apply after the tokens are created. If the user logs in outside the IP restrictions, if the authentication tokens are still valid, they will be able to log in. This applies to ndOffice, ndSync, mobile apps, and any application that uses the API's oAuth authentication protocol.
Restricting Password Reset Requests
When setting an IP address restriction, administrators also have the option to restrict password reset requests to an IP address range.
When outside the specified IP range, users will not be able to request a password reset link from the login page. This minimizes password reset requests from external sources.