SAML Troubleshooting Attributes June 10, 2025 6 min read

Troubleshooting SAML NameID and attribute mapping errors

How to diagnose the most common SAML assertion issues when connecting Thinkific to an identity provider.

Most SAML issues fall into one of three categories: the assertion cannot be validated, the user cannot be matched, or the attributes arrive in an unexpected format. This article explains how to identify and fix each problem quickly.

Validate the assertion first

Before changing anything in Thinkific, confirm the IdP is sending a valid assertion. Use the WooNinja SSO SAML logs to view the decoded assertion. If the log is empty, the IdP is not posting to the correct assertion consumer service URL.

Common NameID problems

The NameID is the unique identifier the IdP sends to the service provider. If it changes between logins, WooNinja SSO may create duplicate accounts.

  • Email format is predictable but can change when a user changes their email address.
  • Persistent format is stable but must be released by the IdP consistently.
  • Transient format should not be used for account matching because it changes every login.

Fix: align the NameID format between the IdP and WooNinja SSO, and choose a value that does not change over time.

Attribute mapping mistakes

Attributes are case-sensitive and must match the mapping configured in WooNinja SSO exactly. Common errors include:

  • Mapping first_name when the IdP sends firstName.
  • Releasing group names with prefixes that are not stripped.
  • Sending multiple values for an attribute expected to be single-valued.

Use the SAML logs to inspect the attribute names and values, then update the mappings to match what the IdP actually sends.

Certificate and signature errors

If the assertion signature cannot be verified, check that:

  • The IdP certificate has not expired.
  • You imported the correct signing certificate, not the encryption certificate.
  • The metadata URL in WooNinja SSO matches the current IdP metadata.

Rotating certificates is a common cause of unexpected SSO failures. Most IdPs publish a new certificate before expiry, so refreshing the metadata URL often resolves the issue.

Still stuck?

Export a SAML trace from your browser or the WooNinja SSO logs and share it with our support team. We can usually identify the issue within a few minutes.

Written by WooNinja Team
Back to blog

Related articles