Skip to content
English
Sign In
  • There are no suggestions because the search field is empty.

SSO Troubleshooting for IT Teams

This guide outlines common Single Sign-On (SSO) issues schools may encounter when setting up or using SSO with Wellio. Each section explains the problem, its likely cause, and what steps to take to resolve it.

💡 Tip: You can test any SSO configuration changes using the test account details you provided to Wellio in the initial setup.

Standard attribute mapping (all IdPs)

Wellio expects the following SAML claims, exactly as written below — lowercase, no namespace prefix:

  • Email attribute → email
  • First Name attribute → first_name
  • Last Name attribute → last_name

 

⚠️ For Microsoft Azure / Entra ID, ensure you clear the Namespace field.

By default, Azure adds a namespace value (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims) to every claim it sends. Wellio doesn't accept namespaced claims, which is the most common reason names appear blank after setup.

When configuring your claims in Azure:

  1. Open the Wellio Enterprise Application in Azure → Single sign-onAttributes & Claims.
  2. For each of the three claims (email, first_name, last_name), click into the claim and clear the Namespace field entirely – leave it blank.
  3. Make sure the claim Name is lowercase and matches exactly: email, first_name, last_name.
  4. Save your changes and re-test with your test account.

 

"We're having trouble with signing you in" or "App Not Configured for User"

What it looks like:
Attempting to sign in shows an access denied screen.

output-onlinepngtools (2)388fb294-4b45-11f0-bd10-0242ac120003

Common cause:
The account hasn’t been assigned to a group that has permission to access the Wellio app.

How to fix it:

  • In your identity provider, assign the test user account(s) to the Wellio App (via a group)
  • If applicable, check for a setting such as "Assignment Required" and disable it to allow broader access

"App Not Enabled for User"

What it looks like:
Attempting to sign in shows an Access Denied screen.

809c050e-5321-11f0-9167-0242ac120003

Common cause:
The group that the user themselves is in has not been granted access to the Wellio app in their IDP (Azure/Google/etc.), or access to the Wellio App has been turned off entirely.

How to fix it:

  • In your identity provider, enable the test user account(s) to access the Wellio App

  • If using Google: Go to Wellio App → Settings → User Access → Service Status and set it to ON for everyone

"Malformed Certificate"

What it looks like:
Attempting to sign in shows a Malformed Certificate error.

bc3cc6f0-7259-11f0-a411-0242ac120004 copy

Common cause:
The SAML Certificate has likely expired. These certificates are usually valid for 3 years and must be renewed before expiration.

How to fix it:

  • In your identity provider, generate and upload a new SAML Certificate to Wellio

User's full name appears blank in Wellio

What it looks like:
After logging in, the user’s first and/or last name is missing from their profile in the Settings page in Wellio.

Common cause:
The SSO claim mapping for names hasn’t been configured correctly, or the identity provider hasn’t stored name values for the user.

How to fix it:

Check your SSO configuration and ensure that the following EXACTLY matches:

  • Microsoft Azure:
    microsoft_saml_attribute_mapping-3a7661b2

  • Google:

  • Other IDP:
    • Email attribute -> email
    • First Name attribute -> first_name
    • Last Name attribute -> last_name

⚠️ For Microsoft Azure / Entra ID:

  1. Open the Claims in Azure and clear the Namespace field so it's empty.

  2. See Standard attribute mapping for full Azure-specific steps.

  3. Also check that the test user account has a first and last name set in your identity provider.

Staff are being logged in as students

What it looks like:

  • A teacher ends up in a student view with no classes or admin access.

  • The user says they "used their school account" but it's not working as expected.

Common cause:
The user is signed into their Google Account using SSO with a different email address (e.g. their school or Department email) to their provisioned Wellio email. Google parses the email from the current active SSO session, even if this is different to your Wellio one.

How to fix it:

  • Ask the user to fully log out of their Google/Microsoft account in their browser and try again using the correct school-issued email.

  • If Wellio has them registered under an outdated email, contact Support to update the email address on file.

Teachers can't view student names in the platform

What it looks like:
Teachers can see lesson progress but all student names are missing and are only displaying email addresses.

Common cause:
SSO is not passing through the correct name claims (usually first_name or last_name are missing or empty).

How to fix it:

  • Check your SSO configuration and ensure that the following EXACTLY matches:

    • Microsoft Azure:
      microsoft_saml_attribute_mapping-3a7661b2

    • Google:

    • Other IDP:
      • Email attribute -> email
      • First Name attribute -> first_name
      • Last Name attribute -> last_name

     

⚠️ For Microsoft Azure / Entra ID:

  1. Open the Claims in Azure and clear the Namespace field so it's empty.

  2. See Standard attribute mapping for full Azure-specific steps.

  3. Also check that the test user account has a first and last name set in your identity provider.