Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

SSO Troubleshooting & Error Reference

This article covers all known error messages and diagnostic issues you may encounter when configuring or using SSO with The Mortgage Office (TMO). Use it as a reference when something goes wrong.

SSO IS AN ENTERPRISE ONLY FEATURE

Configuration Errors (When Saving SSO Settings)

These messages appear when you click Save on the Configure SSO tab in TMO (User Icon → Account → Configure SSO). They indicate a problem with your SSO settings that must be resolved before SSO can be activated.

"Metadata URL or XML is mandatory"

Cause: Neither a Metadata URL nor Metadata XML was provided.

Resolution: Enter either your IdP's Metadata URL or paste the metadata XML into the appropriate field. You only need one — not both.

"Only one of Metadata URL or XML may be specified"

Cause: Both a Metadata URL and Metadata XML were provided.

Resolution: Remove one of the two entries. TMO accepts either the URL or the XML, but not both at the same time.

"IdP Entity ID is mandatory"

Cause: The Entity ID field was left blank.

Resolution: Enter your IdP's Entity ID. This value is obtained from your IdP's configuration. See your IdP-specific setup guide for instructions on where to find it: Okta, Entra ID, Shibboleth, or Setting Up SSO in TMO for generic IdPs.

"Metadata validation failed. Check your Metadata URL. Reason: (404) Not Found"

Cause: The Metadata URL is incorrect or incomplete. The server returned a 404, meaning the path does not exist.

Resolution: Verify that the Metadata URL is complete and correct. Check for truncated or mistyped characters. Try opening the URL in a browser to confirm it returns valid XML.

"Metadata validation failed. Check your Metadata URL. Reason: An exception occurred during a WebClient request"

Cause: The Metadata URL is malformed — most commonly, the https:// prefix is missing.

Resolution: Ensure the URL includes the full protocol prefix (e.g., https://). Correct any formatting errors and try again.

"Unexpected entity id '[X]' found when loading metadata for '[Y]'"

Cause: The Entity ID in the IdP's metadata does not match the Entity ID you entered in TMO's configuration.

Resolution: The Entity ID entered in TMO must exactly match the entityID value in your IdP's metadata XML. Open your IdP's metadata URL in a browser, locate the entityID attribute, and copy it exactly into TMO.

Sign-In Errors

These messages appear when a user attempts to sign in to TMO using SSO.

"E0001: SSO configuration errors. Contact support@absnetwork.com"

Cause: The user has access to multiple company databases in TMO, and each database is configured with a different Identity Provider.

Resolution: Verify the user's database assignments and IdP configurations. If a user needs access to multiple databases, ensure they are not conflicting. Contact support@absnetwork.com if you need help resolving multi-IdP configurations.

"Authenticated user ({0}) is not same as login user ({1})"

Cause: The user successfully authenticated at the IdP, but the email address in the SAML assertion does not match the email configured for that user in TMO.

Resolution: Ensure the email address matches exactly in both systems. Check for differences in capitalization, typos, or domain variations. The {0} value shows the email from the IdP; {1} shows the email TMO expected.

"No database is accessible with the current sign in method. Try to sign in with a password."

Cause: The user attempted to sign in via SSO, but none of the company databases they have access to have SSO enabled.

Resolution: Either enable SSO on the relevant company database (see Setting Up SSO in TMO), or instruct the user to sign in using their password instead.

"No database is accessible with the current sign in method. Try to sign in with SSO."

Cause: The user attempted to sign in with a password, but none of their accessible company databases have password-based authentication enabled.

Resolution: Either enable password authentication on the relevant database, or instruct the user to sign in using SSO.

"Invalid email address"

Cause: The email address entered during sign-in is not in a valid format.

Resolution: Have the user re-enter their email address, ensuring it is correctly formatted (e.g., user@company.com).

SAML-Specific Errors

These errors indicate issues with the SAML communication between your IdP and TMO.

"Email Id is missing in SAML assertion"

Cause: The SAML assertion received from the IdP did not contain the user's email address in any of the attributes TMO recognizes.

Resolution: TMO looks for the email in the NameID and in specific email-related attributes listed in TMO's SP metadata. Ensure your IdP is configured to include the user's email in the assertion. For Okta, verify the Attribute Statements include email mapped to user.email. For Entra ID, verify the default Attributes and Claims are intact. For other IdPs, consult TMO's SP metadata at https://app.themortgageoffice.com/Saml2 for the list of recognized attribute names.

"SAML Processing failed"

Cause: A general failure in the SAML communication between TMO and the IdP.

Resolution: This is a broad error. Check the following: network connectivity between TMO and the IdP, whether the IdP's metadata has changed or expired, and whether certificates are still valid. Use the SAML Tracer tool (see below) to inspect the SAML request and response for specific issues.

"SSO IdP configuration error for IdP '{0}'"

Cause: Most commonly caused by a certificate misconfiguration or a mismatch in the IdP Entity ID between TMO and the IdP.

Resolution: Verify that the IdP Entity ID in TMO exactly matches the IdP's actual entity ID. Check that the IdP's signing certificate is current and correctly referenced in the metadata. If the IdP has recently rotated certificates, refresh the metadata in TMO by re-saving the SSO configuration.

Recommended Debugging Tool: SAML Tracer

The SAML Tracer browser plugin is highly recommended for diagnosing SSO issues. It captures and displays SAML requests and responses directly in the browser, making it easy to identify problems such as missing attributes, assertion format mismatches, signature validation failures, and incorrect endpoint URLs.

SAML Tracer is available as a free extension for major browsers. Install it, enable it before attempting an SSO sign-in, and review the captured SAML traffic to pinpoint the issue.

Still Need Help?

If the troubleshooting steps above do not resolve your issue, contact support@absnetwork.com with the following information:

  • The error message you are seeing
  • The IdP you are using (Okta, Entra ID, Shibboleth, or other)
  • A SAML Tracer export if available
  • The company database name and user email affected