Updating Your Firm’s Federation Services Settings

If you edit your firm’s Federation Services settings, the default administrator must pilot test the settings prior to enabling the changes for all Federation Services users.

Important: If you are switching from the Active to Passive type Federation Services, Wolters Kluwer may need to make changes to your account to ensure continued access to CCH Axcess. Before changing the type, we recommend reviewing the knowledge base article Planning for Changes to CCH Axcess Login Mode, and then contacting Wolters Kluwer so we can make the necessary changes.

Note: If you only need to replace or edit the secondary certificate, you can make this change without a repilot. Instead of the instructions below, follow the procedure Replace or Edit the Secondary Certificate Only.

Any change to your firm’s Federation Services login settings requires you to re-establish trust with CCH Axcess. If the settings do not match, your staff may not be able to log in to CCH Axcess.

To edit Federation Services settings, do the following:

  1. Open Dashboard, click Application Links on the navigation panel, and then click Settings and defaults under Firm.
  2. Click Login Setup on the navigation panel.
  3. Select Enable Pilot mode to test your changes to firm’s Federation login settings.
  4. Update your firm’s Federation Services settings.
    ComponentDescription
    Identity Provider certificateEnter the path or browse to locate the Federation Services token signing certificate, X509 Public key certificate, with a .cer file extension and DER Encoded Binary format.
    Secondary certificateEnter the path or browse to locate the secondary token signing certificate. In the event the primary certificate expires, the secondary certificate will automatically be used.
    View Certificate detailsSelect to view details of the primary or secondary certificate, including validity dates.
    Issuer

    Enter the issuer of the authentication token that is sent from the Federation Server. The issuer is used to authenticate users during the login process. Retrieve this value from the AD FS Management > Federation Service Properties > Federation Service identifier field.

    Identity Provider service URLIf your firm has previously set up the Active federation type, the IdP service URL displays here. The Active type is only available to firms who have previously implemented that type.
    Entity IDEnter the unique ID that Federation Services will use to identify that the caller is CCH Axcess. The entity ID is unique in your firm’s Federation Services server. If you edit the Federation Services settings, you must enter a new unique entity ID.
    Claim type

    Select from User ID, staff system email address, or, if your firm uses AD to manage staff, AD User SID.

    If you select AD User SID and your firm is not currently configured for AD, the AD wizard opens, allowing you to configure the AD integration in addition to the AD FS settings.

    Note: If a staff must update the information that is being used for the claim type, it can only be edited by a CCH Axcess  user with functional rights to edit security groups for all organizational units of the firm.

    Federation Type

    All new implementations of Federation Services should use the Passive type. The Active type is only available for firms who have previously set up Federation Services.

    • Passive federation uses SAML2.0 WebSSO protocols for claim-based authentication.
    • Active federation supports WS-Federation protocols (SAML 1.0 and 1.1 for claim-based authentication. Select this option only if you need to change something while remaining on Active Federation.
    Identify Provider service URLIf your firm previously set up Active federation, the Identify Provider service URL displays here. The Active type is only available to firms who have previously implemented that mode.

    SAML Single Sign On service URL and SAML versionFor Passive federation, enter the SAML SSO service URL and select the SAML version.
  5. Click Next.
  6. Click Generate Metadata to generate metadata based on the Federation login settings. The metadata will be used to establish a trust between CCH Axcess and your firm’s server.
  7. Select a location to save the metadata file, and click Save.
  8. Click Finish to save the Federation Services login settings.
  9. Re-establish trust with CCH Axcess. See Establishing Trust with CCH Axcess for more information.
  10. Log in to CCH Axcess in pilot test mode. See Pilot Testing Federation Services for more information.

    Tip: We recommend deleting the previous trust with CCH Axcess after ensuring that the default administrator is able to successfully log in with the new Federation Services settings.

  11. Click Apply Updates and Finish on the Federation Services Setup wizard.