Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Configuring SSO with Microsoft Entra ID

This article walks through setting up Microsoft Entra ID (formerly Azure AD) as the Identity Provider (IdP) for The Mortgage Office (TMO). 

SSO IS AN ENTERPRISE ONLY FEATURE

Step 1: Create a SAML Application in Entra ID

  1. Sign in to https://entra.microsoft.com.
  2. In the left navigation pane, scroll to Applications.
  3. Click Enterprise Applications → + New Application.
  4. Click + Create your own application.
  5. Enter a name for the application (e.g., "TMO").
  6. Select Integrate any other application you don't find in the gallery.
  7. Click Create. It may take a moment for the application to be provisioned.
  8. Once created, click Get Started under the "Set up single sign on" card.
  9. Select SAML as the sign-on method.
  10. Click Edit on the Basic SAML Configuration card and enter the following:
Field Action Value
Identifier (Entity ID) Click "Add Identifier" https://app.themortgageoffice.com/
Reply URL (ACS URL) Click "Add reply URL" https://app.themortgageoffice.com/Saml2/Acs
Logout URL (optional) Enter directly https://app.themortgageoffice.com/Saml2/Logout

     11. Click Save.

     12. Verify that the default Attributes and Claims in card 2 are correct. By default, Entra ID                        includes the necessary claims — no changes are usually needed.

Step 2: Gather the Entra ID Metadata

Note down the following two values from the SAML configuration screen:

  1. Scroll to card 3 — SAML Certificates — and copy the App Federation Metadata URL. This is your IdP Metadata URL.
  2. Scroll to card 4 — Set up TMO — and copy the Microsoft Entra Identifier. This is your IdP Entity ID.

You will need both of these when configuring TMO.

Step 3: Assign Users in Entra ID

  1. In the TMO enterprise application, go to Users and Groups.
  2. Click Add user/group.
  3. Click None selected, then choose the users you want to assign to TMO.
  4. Click Select, then Assign.
  5. Note down the email address for each assigned user — these must match the emails configured in TMO.

Step 4: Complete the TMO-Side Configuration

Now that Entra ID is set up, configure TMO with your IdP details and ensure users exist in TMO. Follow the steps in Setting Up SSO in TMO (All Identity Providers).

You will need the IdP Entity ID (Microsoft Entra Identifier) and Metadata URL (App Federation Metadata URL) gathered in Step 2.

Advanced Configuration

The following optional settings can be adjusted within Entra ID after initial setup:

Assignment Required

By default, users must be explicitly assigned to the TMO application in Entra ID. If you want to allow all users in your directory to access TMO without individual assignment:

  1. In the TMO application, navigate to Properties.
  2. Set Assignment Required to No.

Customizing NameID Format

  1. In the TMO application, navigate to Single sign on.
  2. Scroll to Attributes and Claims and click Edit.
  3. Click Unique User Identifier (Name ID).
  4. Select the desired Name identifier format from the dropdown.

Adding or Removing Claims

From the same Attributes and Claims editor, you can add custom claims or remove existing ones as needed for your configuration.

Entra ID-Specific Behaviors

Name ID Format: Entra ID supports the "Transient" format but does not expose it in the configuration dropdown. It will honor the Name ID format requested by the SP (TMO).

Assertion Encryption: Disabled by default.

Troubleshooting

If you encounter errors during setup or sign-in, see SSO Troubleshooting & Error Reference.