Enabling Federation Services for Your Firm
After a successful pilot test of Federation Services by your default administrator, you can enable Federation Services for your firm.
To enable Federation Services for your firm, do the following:
- Open Dashboard, click Application Links on the navigation panel, and then click Settings and defaults under Firm.
- Click Login Setup on the navigation panel.
- Select Federation Services as the login mode.
- Review the Federation Services configuration.
- Passive federation uses SAML2.0 WebSSO protocols for claim-based authentication.
- Active federation supports WS-Federation protocols (SAML 1.0 and 1.1 for claim-based authentication. Select this option only if you need to change something while remaining on Active Federation.
- Do one of the following:
- Manage staff with Active Directory.
- Select Manage staff using your firm's Active Directory to synchronize staff between your firm's Active Directory and CCH Axcess.
- Click Next.
- Provide the domain and credentials to connect to the location for the Active Directory users.
- Manage staff in CCH Axcess. Clear Manage staff using your firm's Active Directory. The Staff Import utility can be used to import new users or they can be added manually in Staff Manager.
- Manage staff with Active Directory.
- Click Finish to enable Federation Services for your firm.
Component | Description |
---|---|
Identity Provider certificate | Enter the path or browse to locate the Federation Services token signing certificate, X509 Public key certificate, with a .cer file extension and DER Encoded Binary format. |
Secondary certificate | Enter the path or browse to locate the secondary token signing certificate. In the event the primary certificate expires, the secondary certificate will automatically be used. |
View Certificate details | Select to view details of the primary or secondary certificate, including validity dates. |
Issuer |
Enter the issuer of the authentication token that is sent from the Federation Server. The issuer is used to authenticate users during the login process. Retrieve this value from the AD FS Management > Federation Service Properties > Federation Service identifier field. |
Identity Provider service URL | If your firm has previously set up the Active federation type, the IdP service URL displays here. The Active type is only available to firms who have previously implemented that type. |
Entity ID | Enter the unique ID that Federation Services will use to identify that the caller is CCH |
Claim type |
Select from User ID, staff system email address, or, if your firm uses AD to manage staff, AD User SID. If you select AD User SID and your firm is not currently configured for AD, the AD wizard opens, allowing you to configure the AD integration in addition to the AD FS settings. Note: If a staff must update the information that is being used for the claim type, it can only be edited by a CCH |
Federation Type |
All new implementations of Federation Services should use the Passive type. The Active type is only available for firms who have previously set up Federation Services. |
Identify Provider service URL | If your firm previously set up Active federation, the Identify Provider service URL displays here. The Active type is only available to firms who have previously implemented that mode. |
SAML Single Sign On service URL and SAML version | For Passive federation, enter the SAML SSO service URL and select the SAML version. |