Configuring Federation Services Settings

Before you begin using Federation Services, you must enter the initial configuration, and then do a pilot test. This allows you to make sure Federation Services is working for your firm’s default administrator prior to implementing Federation Services for all staff.

Federation Services has a Passive type and an Active type. All new implementations of Federation Services should use the Passive type. The Active type is only available to firms who have previously implemented that type.

You can pilot the Federation Services login regardless of your current login mode because the pilot test only impacts the firm’s default administrator and any user who has the system environmental variable. Other CCH Axcess users will continue to log in using your current login mode. See Pilot Testing Federation Services for more information.

After the pilot test, you should not edit the Federation Services settings except if you need to make changes for the identity server. See Updating Your Firm’s Federation Services Settings and Replace or Edit the Secondary Certificate Only for more information.

ImportantWolters Kluwer may need to make changes to your account to ensure continued access to CCH Axcess after you implement Federation Services. Before beginning Federation Services setup, we recommend reviewing the knowledge base article Planning for Changes to CCH Axcess Login Mode, and then contacting Wolters Kluwer so we can make the necessary changes.

Setting Up Federation Services the First Time

To establish the Federation Services settings, do the following:

  1. Open Dashboard, click Application Links on the navigation panel, and then click Settings and defaults under Firm.
  2. Click Login Setup on the navigation panel.
  3. Select Enable Pilot mode for Federation login in the Federation Services settings section.
  4. Enter the following information:
    ComponentDescription
    Identity Provider certificateEnter the path or browse to locate the Federation Services token signing certificate, X509 Public key certificate, with a .cer file extension and DER Encoded Binary format.
    Secondary certificateEnter the path or browse to locate the secondary token signing certificate. In the event the primary certificate expires, the secondary certificate will automatically be used.
    View Certificate detailsSelect to view details of the primary or secondary certificate, including validity dates.
    Issuer

    Enter the issuer of the authentication token that is sent from the Federation Server. The issuer is used to authenticate users during the login process. Retrieve this value from the AD FS Management > Federation Service Properties > Federation Service identifier field.

    Identity Provider service URLIf your firm has previously set up the Active federation type, the IdP service URL displays here. The Active type is only available to firms who have previously implemented that type.
    Entity IDEnter the unique ID that Federation Services will use to identify that the caller is CCH Axcess. The entity ID is unique in your firm’s Federation Services server. If you edit the Federation Services settings, you must enter a new unique entity ID.
    Claim type

    Select from User ID, staff system email address, or, if your firm uses AD to manage staff, AD User SID.

    If you select AD User SID and your firm is not currently configured for AD, the AD wizard opens, allowing you to configure the AD integration in addition to the AD FS settings.

    Note: If a staff must update the information that is being used for the claim type, it can only be edited by a CCH Axcess  user with functional rights to edit security groups for all organizational units of the firm.

    Federation Type

    All new implementations of Federation Services should use the Passive type. The Active type is only available for firms who have previously set up Federation Services.

    • Passive federation uses SAML2.0 WebSSO protocols for claim-based authentication.
    • Active federation supports WS-Federation protocols (SAML 1.0 and 1.1 for claim-based authentication. Select this option only if you need to change something while remaining on Active Federation.
    Identify Provider service URLIf your firm previously set up Active federation, the Identify Provider service URL displays here. The Active type is only available to firms who have previously implemented that mode.

    SAML Single Sign On service URL and SAML versionFor Passive federation, enter the SAML SSO service URL and select the SAML version.
  5. Click Next.
  6. Click Generate Metadata to generate metadata based on the Federation login settings. The metadata will be used to establish a trust between CCH Axcess and your firm’s server.
  7. Select a location to save the metadata file, and click Save.
  8. Click Finish to save the Federation login settings and return to the Login Setup window showing the Enable Pilot mode for Federation login option selected.
  9. Establish trust with CCH Axcess. See Establishing Trust with CCH Axcess for more information.
  10. Log in to CCH Axcess in pilot test mode. See Pilot Testing Federation Services for more information.

Reviewing Your Firm’s Federation Login Settings

You can review your firm’s Federation login settings and regenerate the metadata, if necessary.

To view your firm’s Federation login settings, do the following:

  1. Open Dashboard, click Application Links on the navigation panel, and then click Settings and defaults under Firm.
  2. Click Login Setup on the navigation panel.
  3. Click Configure Federation login settings to review or update the configuration. See the above procedure, Setting Up Federation Services the First Time for more information.
  4. Note: When AD FS settings other than certificate settings are changed, metadata should be regenerated and trust should be re-established.

  5. Click Regenerate Metadata to generate metadata based on the login settings, if necessary.
  6. Re-establish trust with CCH Axcess. See Establishing Trust with CCH Axcess for more information.

What are the Next Steps?