"Cannot retrieve metadata for IdP ' ' because it isn't a valid IdP for this SP."
This error usually appears for one of the following reasons;
- The SSO login was initiated from the IdP, however TalentLMS supports SP-initiated SSO logins only.
Solution: Attempt to log in from a private window via the direct SSO login URL (https://{domain}.talentlms.com/index/ssologin/service:saml (or https://{customdomain}/index/ssologin/service:saml if using a custom mapped domain and the SSO app is set up with the custom domain only).
- The Entity ID entered into the TalentLMS SSO form does not match the one in your IdP metadata.
Solution: Download your IdP metadata file and confirm that the entityID matches the one you’ve entered into the TalentLMS SSO form "Identity Provider " field.
"idp_email_already _exists"
This error typically occurs for one of the following reasons:
- The email address was found, but the username values did not match, so authentication failed.
Solution: Ensure that the user's username in TalentLMS matches the value in the corresponding attribute in your IdP.
- The email address is linked to an archived account.
Solution: To reuse this email, either permanently delete the associated archived user or restore the deleted user to reactivate their previous account.
"Unable to find a certificate matching the configured fingerprint. Candidates : ' '; certFingerprint:' '"
This error occurs because the certificate in your IdP has changed and no longer matches the one in your TalentLMS SSO setup.
Solution: Navigate to Account & Settings > Users > Single-Sign-On (SSO), and update the 'Certificate fingerprint' field with your new SSO certificate.
To update the certificate for a branch, go to Home > Branches > {branch name} > SSO.
“Configuration_username/email/lastname/firstname_missing”
Four mandatory attributes (email, username, first name, last name) need to be mapped and sent by the IdP. This error indicates that one or more of these attributes are not being received.
Solution: Verify that your IdP is sending values for all mandatory attributes for this user. You can check the values sent by your IdP by clicking on the “Save and Check configuration” in the SSO form or via a SAML trace.
"URL not allowed: ' ' "
The SSO login can be used either from the custom domain or the TalentLMS domain, depending on which one you have configured the SSO app to work within the IdP, but not both.
Solution: If you associate the SSO app with the custom domain, then you can log into the portal with SSO only via the custom domain.
If you configure the SSO app with the TalentLMS domain, then you will be able to use the SSO feature only via the TalentLMS domain.
"Your username or password is incorrect. Please try again, making sure that CAPS LOCK key is off."
The reason for this error message is usually the non-permanent deletion of an account with the same email address.
Solution: Navigate to Home > Reports > Timeline and either restore or permanently delete the user with this email address, and then ask the user to try logging in via SSO.
"App Not Assigned"
This message comes from the Identity Provider and shows up when a user who tries to log in via SSO does not have permission from the Provider to access the application created for the SSO configuration.
Solution: Verify that the user is assigned to the SSO application in your IDP.