Single Sign-On (SSO) Overview & Requirements
SSO IS AN ENTERPRISE ONLY FEATURE
What is SSO in The Mortgage Office?
The Mortgage Office (TMO) supports Single Sign-On (SSO) via the SAML 2.0 protocol. SSO allows your users to authenticate through your organization's Identity Provider (IdP) — such as Okta, Microsoft Entra ID, or Shibboleth — instead of managing a separate TMO-specific password.
When SSO is enabled, users sign in through your IdP's login page. Once authenticated, they are automatically signed in to TMO without needing to enter additional credentials.
Who Can Use SSO?
SSO is available exclusively to TMO Enterprise customers. If you are unsure whether your plan includes SSO, contact your account representative or email support@absnetwork.com.
How TMO Identifies Users
TMO matches users by email address. During the SAML authentication flow, the IdP sends an assertion containing the user's identity. TMO looks for the email address in one of two places within that assertion:
- The NameID element
- An email attribute
The full list of accepted attribute names is published in TMO's SP metadata (see below). The email in the SAML assertion must exactly match the email configured for that user in TMO.
Key SAML Values
These values are constant across all IdP configurations. You will need them when setting up your IdP:
| Field | Value |
|---|---|
| ACS (Assertion Consumer Service) URL | https://app.themortgageoffice.com/Saml2/Acs |
| SP Entity ID | https://app.themortgageoffice.com/ |
| SP Metadata URL | https://app.themortgageoffice.com/Saml2 |
| Logout URL (optional) | https://app.themortgageoffice.com/Saml2/Logout |
You can download TMO's full SP metadata XML by visiting the SP Metadata URL above in a browser.
Can I Use Both SSO and Password Authentication?
Yes. Each company database in TMO is configured independently. A user may have SSO enabled on some databases and password-based authentication on others.
Supported Identity Providers
TMO has been validated with the following IdPs:
- Okta — Configuring SSO with Okta
- Microsoft Entra ID (formerly Azure AD) — Configuring SSO with Microsoft Entra ID
- Shibboleth — Configuring SSO with Shibboleth
Any other SAML 2.0-compliant IdP can also be configured using the generic setup steps covered in Setting Up SSO in TMO (All Identity Providers).
Getting Started
Setting up SSO is a two-part process:
- Configure your IdP — Create a SAML application in your IdP and point it to TMO's SAML values listed above. Follow the guide for your specific IdP (linked above).
- Configure TMO — Enter your IdP's Entity ID and Metadata URL into TMO's SSO settings, and ensure users are created and configured. This process is the same for all IdPs and is covered in Setting Up SSO in TMO (All Identity Providers).
If you run into issues at any point, refer to SSO Troubleshooting & Error Reference.
Need Help?
Contact support@absnetwork.com for assistance with SSO configuration.