Troubleshooting: Google Single Sign-On (SSO) for SAML

This guide outlines a list of common error codes and solutions when logging in via Google Single Sign-On (SSO).

If you are locked out of your LearnPlatform account and still in the technical implementation phase, please contact your Project Consultant to disable your SSO so you can log back in and reconfigure. All other customers should contact support-lp@instructure.com.

When reconfiguring your SAML setup, make sure to test your SSO again in an incognito window by navigating to https://[YourSubDomain].app.learnplatform.com. That way, you can disable SSO if needed while still logged in.

400 malformed_certificate

400 malformed_certificate

This error is caused by an issue with your certificate.

Expired certificates

Log into your Google Admin Console and check the expiration date on your LearnPlatform certificate. Once you have confirmed that it's expired, follow these solutions:

  • Refresh and generate a new certificate through the Google Admin console.
  • Once your Project Consultant or Support has disabled SSO, log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
  • Complete the SSO process again with your new certificate. Then test your SSO in an incognito window by navigating to https://[YourSubDomain].app.learnplatform.com.

Incorrect certificates

Use a text editor like NotePad or TextHelp to copy/paste the text to LearnPlatform. If the format changes by copying from MS Word or Google Docs, your setup will not work.

  • Once your Project Consultant or Support has disabled SSO, log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
  • Complete the SSO process again. Make sure the certificate field contains no spaces and matches the one in your Google Admin Console for the LearnPlatform App.
  • Test your SSO again in an incognito window by navigating to https://[YourSubDomain].app.learnplatform.com.

403 app_not_configured_for_user error

This is caused by the Entity ID in your Google Admin console not matching the callback URL in LearnPlatform. 

  • Once your Project Consultant or Support has disabled SSO, log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
  • Navigate to Settings > Single Sign-On. Select SAML 2.0 from the Single Sign-On drop-down menu and then click the Use organization domain for callback urls toggle on.
  • Access Google Admin Console > Apps > SAML Apps > LearnPlatform > Service Provider Details.
  • Verify that your ACS URL in your Service Provider Details for the LearnPlatform app is the first one listed under callback URLs: https://[YourSubDomain].app.learnplatform.com/users/auth/saml/callback/ 
  • Verify that your Entity ID in your Service Provider Details for the LearnPlatform app is the second one listed under callback URLs: https://[YourSubDomain].app.learnplatform.com/users/auth/saml/metadata/ 
    • If the Entity ID is correct, make sure it has no spaces or uppercase letters.
    • If you still don’t have access, please wait at least 24 hours since you last changed your settings. You may see that some users are able to access while it may take longer for others. 
    • This may also be caused by a user attempting to log in to the platform using an email address not aligned to your SSO domain.
  • Test your SSO again in an incognito window by navigating to https://[YourSubDomain].app.learnplatform.com.

500 error message

This is caused by either an incorrect certificate, incorrect mapping attributes, or an incorrect value in the Identity Provider Redirect URL field in LearnPlatform.

Certificate

  • Once your Project Consultant or Support has disabled SSO, log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
  • Complete the SSO process again. Make sure the certificate field contains no spaces and matches the one in your Google Admin Console for the LearnPlatform App.
    • Use a text editor like NotePad or TextHelp to copy the text to LearnPlatform. If the format changes by copying from MS Word or Google Docs, your setup will not work.
  • Test your SSO again in an incognito window by navigating to https://[YourSubDomain].app.learnplatform.com.

Mapping Attributes

  • Once your Project Consultant or Support has disabled SSO, log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
  • Review your Attributes page in Google Admin Console. Make sure the attribute mapping fields are identical for Google Admin Console and the LearnPlatform SAML setup. Any spaces or characters out of place will prevent this setup from working.
  • Test your SSO again in an incognito window by navigating to https://[YourSubDomain].app.learnplatform.com.

Identity Provider Redirect URL

  • Once your Project Consultant or Support has disabled SSO, log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
  • Access your Google Admin Console and go to Apps > SAML Apps > LearnPlatform > Service Provider Details > Manage Certificates.
  • Ensure that the SSO URL in your Google Admin Console is identical to your Identity Provider Redirect URL in LearnPlatform (no spaces or uppercase characters).
  • Test your SSO again in an incognito window by navigating to https://[YourSubDomain].app.learnplatform.com

For other Google SAML app error messages, please refer to the Google Help Center article.

Logout URL

Logout URL

Some users may experience issues logging out when using SSO. Include this link as the Identity Provider Logout URL in your Single Sign On tab to fix https://accounts.google.com/logout.

Note: This URL will also log you out of your Google account.