Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Configuring SSO with Okta

This article walks through setting up Okta as the Identity Provider (IdP) for The Mortgage Office (TMO). 

SSO IS AN ENTERPRISE ONLY FEATURE

Step 1: Create a SAML Application in Okta

  1. Log in to the Okta admin console.
  2. Click the hamburger menu (top left) to open the left navigation.
  3. Navigate to Applications → Applications.
  4. Click Create App Integration.
  5. Select SAML 2.0 and click Next.
  6. In General Settings, enter an App Name (e.g., "TMO") and click Next.
  7. In SAML Settings, configure the following fields:
Field Value
Single sign-on URL https://app.themortgageoffice.com/Saml2/Acs
Audience URI (SP Entity ID) https://app.themortgageoffice.com/
Default Relay State Leave blank
Name ID Format Can be left as "Unspecified"
         8. Under Attribute Statements, add an entry to ensure the user's email is included in the                       assertion:
Name Name Format Value
email Unspecified user.email
         9. Click Finish.

Step 2: Assign Users to the TMO Application

Users must be assigned to the TMO application in Okta before they can use SSO.

  1. Navigate to Applications → Applications → TMO.
  2. Go to the Assignments tab (shown by default).
  3. Click Assign → Assign to People.
  4. A list of unassigned users is displayed. Click Assign next to each user you want to grant access.
  5. Click Save and Go Back.

Step 3: Gather the Okta Metadata

You will need two pieces of information from Okta to complete the TMO-side configuration:

Metadata URL

  1. Navigate to Applications → Applications → TMO.
  2. Select the Sign On tab.
  3. Scroll down to Metadata details.
  4. Copy the Metadata URL.

IdP Entity ID

  1. Open the Metadata URL you just copied in a browser.
  2. Look for the entityID attribute in the XML. It will look something like: 
    entityID="http://www.okta.com/exkknioqxbvbqmMbF697"
  3. Copy this value — you will enter it into TMO.

User Email

  1. In the Okta admin console, navigate to Directory → People.
  2. Note each user's Primary email. This email must match exactly what is configured for that user in TMO.

Step 4: Complete the TMO-Side Configuration

Now that Okta is set up, you need to configure TMO with your Okta IdP details and ensure users exist in TMO. Follow the steps in Setting Up SSO in TMO (All Identity Providers).

You will need the IdP Entity ID and Metadata URL gathered in Step 3.

Okta-Specific Behaviors

There are a few behaviors unique to Okta that are helpful to be aware of:

Name ID Format: Okta supports all Name ID formats. If there is a mismatch between the format requested by TMO (the SP) and the format configured in Okta, Okta will respond using its own configured format rather than honoring the SP's request. TMO handles this gracefully — no action is needed.

Assertion Encryption: Disabled by default in Okta.

Single Logout (SLO): Okta does not support IdP-initiated Single Logout. When a user logs out of TMO, the Okta session will not be terminated automatically.

Troubleshooting

If you encounter errors during setup or sign-in, see SSO Troubleshooting & Error Reference.