"Single sign-on authentication was unsuccessful (reference # WRFSHMKK)." During HealthStream Authentication
Sep 3, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview
When trying to log in to HealthStream from the Okta Dashboard tile using Identity Provider (IdP)-initiated flow, the following error is seen:
Single sign-on authentication was unsuccessful (reference # WRFSHMKK).
Applies To
- Custom Secure Assertion Markup Language (SAML) 2.0
- HealthStream
- Bookmark Application
Cause
The root cause of this issue is that HealthStream does not support IdP-initiated flow and requires the use of Service Provider (SP)-initiated flow.
Solution
Follow the instructions below to simulate SP-initiated flow with the Bookmark App for HealthStream :
- Create a Bookmark application and add the following URL:
https://www.healthstream.com/<xy>/<AddSpecificURL>. Consult with HealthStream to get the SP-initiated URL.
- Rename both tiles in Okta to reflect their functionality more clearly and to facilitate user interaction.
- Hide the tile for the SAML HealthStream app in Okta, leaving only the bookmark that uses the SP-initiated flow when accessed.
Related References
Simulate an SP-initiated flow with the Bookmark App
