Troubleshooting my Google Single Sign On (SSO) for SAML
If you are experiencing errors when attempting to log in via Google Single sign-on, you can find a list of common error codes and solutions for addressing them below.
If you are locked out of your LearnPlatform account and still in the technical implementation phase, please contact your Project Consultant to have them disable your Single sign-on so you can log back in and reconfigure. All other customers should contact support-lp@instructure.com to have Single sign-on disabled.
When reconfiguring your SAML setup, be sure to test your SSO again in an incognito window by navigating to https://[YOUR subdomain].app.learnplatform.com. That way, you can disable SSO if needed while still logged in.
400 malformed_certificate
This error is caused by an issue with your certificate.
- Your certificate may have expired. Log into your Google Admin Console and examine the expiration date on your LearnPlatform certificate.
- Your certificate may not have been copied or input correctly into the platform.
To solve:
- Expired certificates:
- Refresh and generate a new certificate through the Google Admin console.
- Once SSO has been disabled by your Project Consultant or Support, you’ll need to log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
- Complete the SSO process again from scratch with your new certificate and test your SSO again in an incognito window by navigating to https://[YOUR subdomain].app.learnplatform.com
- Incorrect certificates: Use a text editor like notePad or TextHelp to copy/paste the text to LearnPlatform. If the format changes by copying from MS Word or Google Docs, your setup will not work.
- Once SSO has been disabled by your Project Consultant or Support, you’ll need to log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
- Complete the SSO process again and make sure the certificate field contains no spaces and matches the one in your Google Admin Console for the LearnPlatform App.
- Test your SSO again in an incognito window by navigating to https://[YOUR subdomain].app.learnplatform.com
403 app_not_configured_for_user error
This is caused by the Entity ID in your Google Admin console not matching the callback URL in LearnPlatform.
To solve:
- Once SSO has been disabled by your Project Consultant or Support, you’ll need to log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
- Navigate to Settings > Single Sign-On > SAML 2.0 > Toggle: Use organization domain for callback urls
- Access Google Admin Console > Apps > SAML Apps > LearnPlatform > Service Provider Details
- Verify that your ACS URL in your Service Provider Details for the LearnPlatform app is the first one listed under callback URLs: https://[YOUR subdomain].app.learnplatform.com/users/auth/saml/callback/
- Verify that your Entity ID in your Service Provider Details for the LearnPlatform app is the second one listed under callback URLs: https://[YOUR subdomain].app.learnplatform.com/users/auth/saml/metadata/
- If the Entity ID is correct, make sure it has no spaces or uppercase letters.
- If you still don’t have access, please wait at least 24 hours since you last changed your settings. You may see that some users are able to access while it may take longer for others.
- This may also be caused by a user attempting to log in to the platform using an email address not aligned to your SSO domain.
- Test your SSO again in an incognito window by navigating to https://[YOUR subdomain].app.learnplatform.com
500 error message
This is caused because of either an incorrect certificate, incorrect mapping attributes, or an incorrect value in the Identity Provider Redirect URL field in LearnPlatform.
To solve:
Certificate
- Once SSO has been disabled by your Project Consultant or Support, you’ll need to log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
- Complete the SSO process again and make sure the certificate field contains no spaces and matches the one in your Google Admin Console for the LearnPlatform App.
- Tip: Use a text editor like notePad or TextHelp to copy the text to LearnPlatform. If the format changes by copying from MS Word or Google Docs, your setup will not work.
- Test your SSO again in an incognito window by navigating to https://[YOUR subdomain].app.learnplatform.com
Mapping Attributes
- Once SSO has been disabled by your Project Consultant or Support, you’ll need to log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in/
- Review your Attributes page in Google Admin Console. Be sure the attribute mapping fields are identical for Google Admin Console and the LearnPlatform SAML setup. Any spaces or characters out of place will prevent this setup from working.
- Test your SSO again in an incognito window by navigating to https://[YOUR subdomain].app.learnplatform.com
Identity Provider Redirect URL
- Once SSO has been disabled by your Project Consultant or Support, you’ll need to log back in using local authentication (username/password). Access your LearnPlatform account via app.learnplatform.com/users/sign_in
- Access your Google Admin Console
- Go to Apps > SAML Apps > LearnPlatform > Service Provider Details > Manage Certificates
- Ensure that the SSO URL in your Google Admin Console is identical to your Identity Provider Redirect URL in LearnPlatform (no spaces or uppercase characters)
- Test your SSO again in an incognito window by navigating to https://[YOUR subdomain].app.learnplatform.com
For other Google SAML app error messages, please check out: https://support.google.com/a/answer/6301076?hl=en
Logout URL
Some users may experience issues logging out when using SSO. Include this link as the Identity Provider Logout URL in your Single Sign On tab to fix https://accounts.google.com/logout.
Note: This URL will log you out of your Google account as well.
