Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Configuring SSO with Shibboleth

This article walks through setting up Shibboleth as the Identity Provider (IdP) for The Mortgage Office (TMO). 

SSO IS AN ENTERPRISE ONLY FEATURE

Prerequisites

Before beginning, ensure the following:

  • Your Shibboleth IdP is installed and running.
  • Assertion encryption must use either AES-128-CBC or AES-256-CBC. Other encryption algorithms are not supported by TMO.

Step 1: Configure TMO's SP Metadata in Shibboleth

  1. Download the TMO SP metadata by visiting this URL in a browser: https://app.themortgageoffice.com/Saml2
  2. Rename the downloaded file to sp-metadata.xml.
  3. Copy the file to your Shibboleth metadata directory: idp.home/metadata/
  4. Open idp.home/conf/metadata-providers.xml and add the following metadata provider entry: 
    <MetadataProvider id="LocalMetadata" xsi:type="FilesystemMetadataProvider"    metadataFile="/opt/shibboleth-idp/metadata/sp-metadata.xml"/>
  5. Restart the Shibboleth IdP for the changes to take effect.

Step 2: Gather the Shibboleth IdP Metadata

Note down the following from your Shibboleth IdP configuration:

  • IdP Entity ID — found in your IdP's metadata XML (entityID attribute).
  • IdP Metadata URL — the URL where your IdP's metadata is published, or alternatively, provide the metadata XML directly.

You will need both when configuring TMO.

Step 3: Complete the TMO-Side Configuration

Configure TMO with your Shibboleth IdP details and ensure users exist in TMO. Follow the steps in Setting Up SSO in TMO (All Identity Providers).

Tips and Tricks

Changing Encryption Algorithm from AES-128-CBC to AES-256-CBC

In the TMO SP metadata file (sp-metadata.xml), add the following inside the </KeyDescriptor> element:

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

Restart the Shibboleth IdP after making this change.

Accessing IdP Logs

Shibboleth's IdP logs are very informative for debugging and are located at idp.home/logs. Check these first when troubleshooting any SAML communication issues.

Changing NameID Format from Transient to emailAddress

This requires changes in two places:

  1. TMO Web.config: Update the nameIdPolicy element to: 
    <nameIdPolicy allowCreate="" format="EmailAddress" />
  2. Shibboleth IdP: Open idp.home/saml-nameid.xml, locate the bean for email, and uncomment it.

Disabling Encrypted Assertions

If you need to turn off assertion encryption for the TMO SP, edit idp.home/conf/relying-party.xml. Inside the <util:list id="shibboleth.RelyingPartyOverrides"> element, add:

<bean id="ExampleSP" parent="RelyingPartyByName"
      c:relyingPartyIds="https://app.themortgageoffice.com/">
    <property name="profileConfigurations">
        <list>
            <bean parent="SAML2.SSO" p:encryptAssertions="false" />
        </list>
    </property>
</bean>

Replace the c:relyingPartyIds value with your SP Entity ID if it differs.

Troubleshooting

If you encounter errors during setup or sign-in, see SSO Troubleshooting & Error Reference.

For Shibboleth-specific issues, always check the IdP logs at idp.home/logs first — they typically provide detailed information about what went wrong.