To sign in to Adobe mobile apps on iOS, your SSO server or IdP must be compliant with Apple's App Transport Security (ATS) requirements.

If you are using Federated IDs and are using Adobe iOS mobile apps, check to see if your Single Sign On (SSO) server supports Apple’s App Transport Security (ATS) requirements. Update your servers to support ATS requirements before January 1, 2017 to sign in to Adobe iOS applications.

Background

In iOS9, Apple introduced a new security feature called App Transport Security (ATS). To be ATS compliant:

  • Server must support at least Transport Layer Security (TLS) 1.2
  • Connection ciphers must provide forward secrecy
  • Certificates must be signed with either an RSA key with a length of at least 2048 bits or an ECC key with a size of at least 256 bits  

This feature is described in the iOS9 release notes in the section titled “App Transport Security”. At WWDC 2016 in June, Apple announced the enforcement of App Transport Security (ATS) for all mobile applications submitted to the App Store by the end of 2016. When an Adobe iOS app attempts to communicate with servers that do not meet the security requirements for login via Single Sign On (SSO), an error will be returned and communication will fail.                         

Action Required

Verify that your Single Sign-On setup for Federated IDs is compliant with the requirements for ATS.

If your server is not compliant, update your servers to support the App Transport Security requirements before January 1, 2017 in order to continue your access to Adobe iOS applications using Federated IDs. If you're using a third-party Identity Provider service, contact your service provider with this information.

Testing ATS Connection Capability

Here are two ways to check if the server is compliant with ATS:

Method 1: Use SSL Labs' online utility

SSL labs (which has become the industry standard for measuring security of TLS configuration) has a check for ATS compliance. To verify compliance, do the following:

  1. Enter the IDP Login URL used to configure Single Sign On. For more information see, Configure Single Sign-On.

  2. Click Submit. 

  3. Once the results are ready, check Apple ATS 9 / iOS 9 option in the Handshake Simulation option. If it is green, it means that your server supports ATS requirements.

    If your server does not support ATS requirements, then you will see a red error message similar to the error below:

Method 2: Use nscurl command from a Mac computer

If you are using Mac OS X 10.11 "El Capitan" or later, you can also use the nscurl command. 

In the MAC Terminal, type: 

nscurl --ats-diagnostics <url>  

If the url is ATS compatible, you will see:

Updating your server

Please contact your Identity Provider (IdP) to update security settings on your SSO server to support TLS v1.2 and Forward Secrecy for continued use of Adobe iOS apps.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy