Employees cannot log into the HES service and use the SSO service by default, they must have an explicit permission of the administrator. Select an employee and click the 'Edit' button. Then click the 'Enable SSO' button at the opened page to give the permission.
Note: An employee must have an email and an associated key to activate the SSO service.
The SSO service is automatically enabled and cannot be deactivated for all HES administrators.
If External ID is used as the Name Identifier Field, you have to fill in this field as well. Open 'Employees' -> 'Select an employee' -> 'Edit' to edit the External ID field.