Troubleshooting SAML Single Sign-On (SSO) Login Issues

If you're seeing errors when trying to log into HappyCo via Single Sign-On (SSO), this article walks through the most common causes and how to resolve them. Most SSO troubleshooting is a collaboration between your IT team and HappyCo — we need to compare what your identity provider is configured to send against what we have on file on our side. This article is structured to help you gather the right information up front so our team can resolve the issue with you as quickly as possible.

Setting up SSO for the first time? This article covers troubleshooting for existing SSO configurations. For step-by-step setup guides — including instructions for Microsoft Entra ID, Okta, Google, and OneLogin — see our SAML Single Sign On documentation.


What This Article Covers

  • Quick self-triage to narrow down the cause
  • Common SSO issues and how to work through them with our team
  • Information to have ready when reporting a SAML validation error
  • Updating your SAML signing certificate
  • What to include when opening a support ticket with HappyCo

Before You Start — Quick Triage

A few questions to answer first — these are the fastest way to narrow down what's happening:

  • Who's affected? Just one user, some users, or everyone in your organization?
  • What's the exact error message? (Screenshots help — see the "What to include when opening a ticket" section below.)
  • Are affected users assigned to the HappyCo SSO application in your identity provider? Users need to be explicitly assigned to your HappyCo SSO app on your IdP side to be able to authenticate — this is the most common cause of a single user being unable to log in.
  • Has anything changed recently? Certificate rollover, IdP configuration change, an admin who left the company?

Common SSO Issues

1. A single user can't log in — everyone else is fine

This is almost always an issue on your identity provider (IdP) side, not HappyCo. Common causes:

  • The user was recently deactivated or removed from your IdP
  • The user's email address in your IdP doesn't match their HappyCo account
  • The user isn't assigned to the HappyCo application in your IdP

What to do: Have the user check with your organization's IT or Help Desk team to confirm they're active in the IdP and assigned to the HappyCo SSO application. If everything looks right on your side and the user still can't log in, open a support ticket with us and include the details from the "What to include" section below.

2. All users are locked out at once

If SSO is failing for all users across both web and mobile, that's a strong signal of an SSO configuration or certificate issue. The most common triggers:

  • The SAML signing certificate has expired or been rotated on your IdP without notifying HappyCo. Signing certs typically have a 3-year expiry.
  • The IdP's SAML endpoint URL was changed without an update to HappyCo.
  • The domain(s) associated with your SSO configuration have changed.

What to do: Open a support ticket with HappyCo urgently and flag that all users are affected. Have your IT team ready to provide an updated SAML signing certificate in Base64 / PEM format if a rollover is the cause.

3. "The SAML AuthnResponse object could not be parsed or verified" error

This error means SAML signature or audience validation is failing when your identity provider sends a response to HappyCo. Resolving it requires our team and yours to compare the SAML configuration on both sides — see the Information to Include for SAML Validation Errors section below for the five values we'll need. Sending them in your initial ticket lets us verify each one against what we have on file, which typically resolves the issue in a single round trip.

4. "This account is already linked to another user" error

This typically happens when:

  • The user's email address changed in your IdP after their HappyCo account was created
  • A new HappyCo user was created for someone whose old account was deactivated

What to do: Open a support ticket for the affected user — this one requires an action on our side to unlink the SSO association. Include the user's current email address and any prior email addresses.


Information to Include for SAML Validation Errors

When your users are seeing a "SAML AuthnResponse could not be parsed or verified" error (or any similar SAML validation failure), the fastest path to resolution is for our team to compare five specific values on your identity provider against what we have configured on our side. Please include these when you open your ticket:

1. Identifier / Entity ID / Audience URI

Send us the value currently configured as the IdentifierEntity ID, or Audience URI on your IdP's SAML application for HappyCo. This should be in the format https://auth.happyco.com/samlv2/sp/<your-unique-uuid> — the UUID portion is unique to your organization, and we'll verify it matches what we have on file.

2. Reply URL / ACS URL

Send us the value currently configured as the Reply URL or ACS URL on your IdP. This should be https://auth.happyco.com/samlv2/acs — the same value for all HappyCo customers.

3. Active Signing Certificate Thumbprint

Send us the SHA-256 thumbprint (also called "fingerprint") of the certificate currently marked Active in your IdP's SAML Certificates section. Some IdPs — Microsoft Entra ID especially — can have both a primary and a secondary signing certificate active at the same time. We'll compare your active thumbprint against the certificate we have loaded to confirm we're validating against the right one.

4. Signing Algorithm

Send us the signing algorithm currently configured on your IdP's SAML application. It should be set to SHA-256 (not SHA-1) — SHA-1 is deprecated and HappyCo's SSO configuration won't validate responses signed with it.

5. Response Encryption Status

Let us know whether SAML response encryption is enabled or disabled on your IdP side. HappyCo's SSO configuration is set up to validate signed responses, not encrypted ones, so response encryption should be disabled in most cases.

Including all five items in your initial ticket significantly shortens resolution time — otherwise, we typically need to follow up to request them before we can begin verifying.


Updating Your SAML Signing Certificate

Signing certificates typically expire every 1–3 years, depending on your IdP settings. To avoid a lockout, plan to update your cert with HappyCo at least 30 days before expiry.

1. Export the certificate from your identity provider

Export in Base64 / PEM format — not DER (binary). The exact export step varies by IdP:

  • Microsoft Entra ID (Azure AD): In your Enterprise Application's SAML config → SAML Certificates section → download the Certificate (Base64).
  • Okta: In your SAML application → Sign On tab → View SAML setup instructions → download the X.509 Certificate (Base64 encoded).
  • Google: In your custom SAML app → Download IDP metadata → the certificate is included in the metadata file, or download it directly if that option is available.
  • OneLogin: In your SAML application → SSO tab → download the X.509 Certificate.
2. Verify the file is in the correct format

Open the exported file in a text editor. If you see readable text bracketed by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, it's PEM (correct). If it looks like unreadable binary characters, it's DER — re-export in Base64.

3. Send the certificate to HappyCo

Open a support ticket and attach the certificate file. Include:

  • Your organization / business name
  • A note that this is a certificate update (vs. new SSO setup)
  • The date the current certificate expires, if known
  • The certificate SHA-256 thumbprint/fingerprint from your IdP — helps us confirm we're uploading the right one

We'll upload the new certificate on our side and let you know when it's active.

4. Confirm the update works

Once we let you know the update is complete, have your team log out of HappyCo and back in to verify SSO is working correctly.


What to Include When Opening a Ticket

To help us resolve SSO issues quickly, include:

  • Your organization / business name
  • Which users are affected (one user, some, or all)
  • The exact error message — screenshot is best
  • Which HappyCo product(s) they can't access (Manage on the web, mobile app, or both)
  • Your identity provider (Microsoft Entra ID, Okta, Google, OneLogin, etc.)
  • Any recent changes on your side (IdP config updates, cert rollover, expired certs)
  • If you're seeing a SAML validation error, include the five items from the Information to Include for SAML Validation Errors section above.
  • If updating a certificate: the new certificate in Base64 / PEM format, plus the SHA-256 thumbprint.
Was this article helpful?
0 out of 0 found this helpful