Setting Up SSO in TMO (All Identity Providers)

SSO IS AN ENTERPRISE ONLY FEATURE

Prerequisites

Complete your IdP-side setup first, then follow the steps below. If you haven't set up your IdP yet, see the guide for your provider:

Configuring SSO with Okta
Configuring SSO with Microsoft Entra ID
Configuring SSO with Shibboleth
Using a different SAML 2.0 IdP? See the Generic IdP Setup section at the bottom of this article.

For general SSO background and TMO's SAML values, see SSO Overview & Requirements.

What You Will Need

Before starting, gather the following from your IdP setup:

IdP Entity ID — a unique identifier for your IdP (e.g., http://www.okta.com/exkknioqxbvbqmMbF697 for Okta, or the Microsoft Entra Identifier for Entra ID).
IdP Metadata URL — the URL where your IdP publishes its SAML metadata.
User email addresses — the email for each user who will sign in via SSO. These must match exactly between the IdP and TMO.

Step 1: Create and Configure Users in TMO

If the users who need SSO access already exist in the TMO database, skip to Step 2.

Sign in to TMO as an Admin.
Select the desired Company.
Click User Icon → Account.
Go to the Manage Licenses tab.
Click + to add a new user. Provide the user's details, including their email address. This email must exactly match the email configured in your IdP.
Select the company database.
Click User Management.
Click + and configure the newly created user with the appropriate access and permissions.

Repeat for each user who needs SSO access.

Step 2: Configure SSO Settings in TMO

Sign in to TMO as an Admin.
Select the desired Company database.
Click User Icon → Account.
Go to the Configure SSO tab.
Enter the IdP Entity ID in the Entity ID field.
Enter the IdP Metadata URL in the Metadata URL field.
Click Save.

When you click Save, TMO performs automatic validation checks on your configuration. If everything is correct, the settings are saved and SSO is enabled for that company database. If there are issues, you will see a diagnostic message — see SSO Troubleshooting & Error Reference for help resolving them.

Important Notes

One IdP per company database. Each company database in TMO can be configured with a single IdP. If a user has access to multiple company databases, each database can have its own IdP configuration.

Email matching is exact. The email in the SAML assertion must be an exact, case-sensitive match with the email configured for the user in TMO. Mismatches will result in a sign-in error.

SSO and password auth can coexist. Enabling SSO on a company database does not automatically disable password-based authentication. Users may have SSO on some databases and password auth on others.

Configuring a Generic SAML 2.0 Identity Provider

If you are using an IdP other than Okta, Entra ID, or Shibboleth, follow these general steps on the IdP side before completing the TMO configuration above.

IdP-Side Setup

Create a new SAML application or SP configuration in your IdP.
When prompted for the SP Entity ID, enter: https://app.themortgageoffice.com/
If your IdP requires SP metadata, provide the metadata URL: https://app.themortgageoffice.com/Saml2 — or download the XML from that URL and upload it to your IdP.
Configure the ACS URL if required separately: https://app.themortgageoffice.com/Saml2/Acs
Note down your IdP Entity ID and IdP Metadata URL from the IdP's configuration.
Assign users to the TMO application as required by your IdP.
Ensure that each user's email address is included in the SAML assertion — either as the NameID or as an email attribute. The full list of attribute names TMO accepts is available in the SP metadata at https://app.themortgageoffice.com/Saml2.

Once the IdP-side setup is complete, return to Step 1 above to finish the TMO-side configuration.

Troubleshooting

If you encounter errors when saving your SSO configuration or during user sign-in, see SSO Troubleshooting & Error Reference.