Troubleshooting my Single Sign On (SSO) for SAML

400 malformed_certificate

This error is caused by an issue with your certificate.

To solve:

• Your certificate may have expired. Log into your Google Admin Console and examine the expiration date on your LearnPlatform certificate.
  • If you have discovered that it has expired, please email support@learnplatform.com to have a support member disable your SSO in the platform. From this point, you can log back into the platform with any manual credentials you or another administrator created during onboarding.
  • Refresh and generate a new certificate through the Google Admin console.
  • Complete the SSO process again from scratch with your new certificate.
• Your certificate may not have been copied or input correctly into the platform.
  • Access your LearnPlatform account via app.learnplatform.com/users/sign_in/ in an incognito window. Do not choose Sign in with Google
  • Go to Settings > Single-Sign-On
  • Make sure the certificate field contains no spaces and matches the one in your Google Admin Console for the LearnPlatform App OR
  • Download the certificate again from your Google Admin Console (step 7) and ensure that you are using a text editor like notePad or TextHelp to copy the text to LearnPlatform. If the format changes by copying from MS Word or Google Docs, your setup will not work.
  • Make sure you hit “Apply” in the bottom of the LearnPlatform Single-Sign-On page
  • Test your SSO again 

403 app_not_configured_for_user error 

This is caused by the Entity ID in your Google Admin console not matching the callback URL in LearnPlatform. 

To solve: 

• Access Google Admin Console > Apps > SAML Apps > LearnPlatform > Service Provider Details
• Verify that your ACS URL in your Service Provider Details for the LearnPlatform app is: https://[YOUR subdomain].app.learnplatform.com/users/auth/saml/callback/ 
• Verify that your Entity ID in your Service Provider Details for the LearnPlatform app is: https://[YOUR subdomain].app.learnplatform.com/users/auth/saml/metadata/ 
  • If the Entity ID is correct, make sure it has no spaces or uppercase letters.
  • If you still don’t have access, please wait at least 24 hours since you last changed your settings. You may see that some users are able to access while it may take longer for others. 
  • This may also be caused by a user attempting to log in to the platform using an email address not aligned to your SSO domain.

500 error message 

This is caused because of either an incorrect certificate, incorrect mapping attributes, or an incorrect value in the Identity Provider Redirect URL field in LearnPlatform. 

To solve:

Certificate 

• Access your LearnPlatform account via app.learnplatform.com/users/sign_in/ in an incognito window. Do not choose Sign in with Google
• Go to Settings > Single-Sign-On
• Make sure the certificate field contains no spaces and matches the one in your Google Admin Console for the LearnPlatform App OR
• Download the certificate again from your Google Admin Console (step 7) and ensure that you are using a text editor like notePad or TextHelp to copy the text to LearnPlatform. If the format changes by copying from MS Word or Google Docs, your setup will not work.
• Make sure you hit “Apply” in the bottom of the LearnPlatform Single-Sign-On page
• Test your SSO again 

Mapping Attributes 

• Access your LearnPlatform account via app.learnplatform.com/users/sign_in/ in an incognito window. Do not choose Sign in with Google.
• Go to steps 16-22 and ensure that the attribute mapping fields are identical for Google Admin Console and the LearnPlatform SAML setup. Any spaces or characters out of place will prevent this setup from working.

Identity Provider Redirect URL 

• Access your Google Admin Console
• Go to Apps > SAML Apps > LearnPlatform > Service Provider Details > Manage Certificates
• In a separate window, access your LearnPlatform account via app.learnplatform.com/users/sign_in/ in an incognito window. Do not choose Sign in with Google.
• Go to Settings > Single-Sign-On
• Ensure that the SSO URL in your Google Admin Console is identical to your Identity Provider Redirect URL in LearnPlatform (no spaces or uppercase characters) 

For other Google SAML app error messages, please check out: https://support.google.com/a/answer/6301076?hl=en 

Logout URL

Some users may experience issues logging out when using SSO. Include this link as the Identity Provider Logout URL in your Single Sign On tab to fix https://accounts.google.com/logout.