End of Life Information - SSL3 and TLS 1.0 using Federated Identity as of 17.1 Update


We are re-posting this announcement due to its urgent status related to the 17.1 Update on Thursday, January 19th.

It is very important that you test the 17.1 Beta in your environment prior to the release to ensure your users can log into NetDocuments. If you can successfully login using the beta, then your users will be fine.

If you are using ADFS as your identity provider, then you have to use the 3.b option described below to ensure you do not have any issues logging in with 17.1. Here's how to access the 17.1 Beta.

Also, please make sure the certificate on your ADFS server and related network devices is not expired. If it is, you will need to update it prior to the release of the 17.1 Update.

When NetDocuments is configured to use Federated Identity and a federation metadata document URL has been entered on the Advanced Authentication Configuration page, the NetDocuments servers regularly make web service calls to retrieve the identity provider’s metadata document. These calls and their responses are encrypted using a security protocol negotiated between the NetDocuments servers and the identity provider servers.

NetDocuments currently supports the following protocols for these connections:

  • SSL 3
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

In order to improve security, NetDocuments is going to drop support for the two oldest protocols (SSL 3 and TLS 1.0) in the 17.1 Update, which is scheduled for early 2017. This means that NetDocuments will be unable to retrieve the metadata document from your identity provider if it doesn’t support either TLS 1.1 or TLS 1.2. So, if you use federated identity it is important to confirm that your identity provider supports one of these protocols by the end of the year. The cloud-based identity providers (Okta, OneLogin, Azure Active Directory) already support TLS 1.1 and TLS 1.2. So, this is only a potential issue if you are hosting your own identity provider like ADFS. 

https://www.ssllabs.com/ssltest/index.html offers a free test where you can check the protocols supported by your servers.

This change affects only outbound web service calls from NetDocuments to identity providers. It does not affect incoming connections to NetDocuments from browsers, API clients, etc. 

Note that if you do not want to modify your identity provider servers to support the newer protocols, one option is to download the metadata document from your identity provider servers and manually upload the document to NetDocuments on the Advanced Authentication Configuration page in the Step 3.b section. If this is done, then NetDocuments servers will never directly connect to your identity provider servers so the change in the 17.1 Update that drops support for the older protocols will not affect you. But, for best security we encourage you to update your identity provider servers even if you use this option. You do not need to wait for the NetDocuments 17.1 Update to make these changes. You can make these changes at any time between now and the 17.1 Update, and you will immediately benefit from better security as the servers negotiate to use one of the more secure protocols.