Replacing the Federation Services Identity Provider Certificate

Whenever you change or renew the Federation Services token signing certificate, it is important that you update the Identity Provider certificate in CCH Axcess Federation Services login or Federation Services pilot login settings.

Note: If you replace the primary certificate, you must reestablish trust and perform a pilot test. If you are only replacing the secondary certificate, these steps are not necessary. See Replace or Edit the Secondary Certificate Only below for more information.

Replace Certificate During Pilot Testing

If your firm is pilot testing Federation Services login mode, do the following:

  1. Open Dashboard, click Application Links on the navigation panel, and then click Settings and defaults under Firm.
  2. Click Login Setup on the navigation panel.
  3. Click Configure Federation login settings.
  4. Click Browse to select your new Identity Provider certificate.

    Note: The certificate should be the public key of your firm’s Federation Services token signing certificate and should be of DER encoded binary format.

  5. Click Next.
  6. Click Generate Metadata to generate metadata based on the Federation login settings. The metadata will be used to establish a trust between CCH Axcess and your firm’s server.
  7. Select a location to save the metadata file, and click Save.
  8. Establish the relying party trust with CCH Axcess using the generated metadata. See Establishing Trust with CCH Axcess for more information. Once the trust is successfully established, you have successfully updated your Identity Provider Certificate in CCH Axcess.

Replace Certificate While Using Federation Login Mode

If your firm is using Federation login mode, do the following:

  1. Open Dashboard, click Application Links on the navigation panel, and then click Settings and defaults under Firm.
  2. Click Login Setup on the navigation panel.
  3. Select Enable Pilot mode to test your changes to firm’s Federation login settings.
  4. Click Browse to select your new Identity Provider certificate.
  5. Enter a unique entity ID in the Entity ID box that is different from the Entity ID used for the current Federation Services login settings.
  6. Click Next.
  7. Click Generate Metadata to generate metadata based on the Federation Services login settings. The metadata will be used to establish a trust between CCH Axcess and your firm’s Federation Services server.
  8. Select a location to save the metadata file, and click Save.
  9. Establish the relying party trust with CCH Axcess using the generated metadata. See Establishing Trust with CCH Axcess for more information. Once the trust is successfully established, you have successfully updated your Identity Provider Certificate in CCH Axcess.

    10. Once the trust is successfully established, you have completed the configuration for Federation pilot login.

  10. Have the firm’s default admin log in using Federation Services pilot settings. For more information on the pilot test, see Pilot Testing Federation Services.
  11. Open Dashboard, click Application Links on the navigation panel, and then click Settings and defaults under Firm.
  12. Click Login Setup on the navigation panel.
  13. Click Configure Federation login settings.
  14. Click Next and click Apply and finish to apply the changes to the current Federation login settings.

    Note: Apply and finish will be available for selection only after the Default admin has successfully logged in using Federation pilot login settings.

Replace or Edit the Secondary Certificate Only

If your firm has completed a pilot and is in full Federation mode, you can replace or edit just the secondary certificate without performing an additional pilot test. In the event that the primary certificate expires, the secondary certificate will be used automatically.

Important: If you need to change other settings in addition to the secondary certificate, use the procedure in the topic Updating Your Firm’s Federation Services Settings. A repilot will be necessary once those changes are completed.

To replace or edit a secondary certificate only, do the following:

  1. Open Dashboard, click Application Links on the navigation panel, and then click Settings and defaults under Firm.
  2. Click Login Setup on the navigation panel.
  3. In the Update your firm's Federation Services settings section, click Edit secondary certificate.
  4. Click Browse.
  5. Navigate to and select the secondary token signing certificate, and then click Open.
  6. Click Save.
  7. Click OK to save the updated settings.