Did something change with the SSO implementation recently? Please check with your SSO vendor. If they had changed anything on their end to cause an issue, we need to be made aware.
Was the user merged recently? If so, make sure the user is trying to log in with the remaining (merged) user account.
Does the user already have an account in EthosCE? Find the user on the Manage User screen and download a CSV. Does the user have an authentication name/ID in the CSV?
If not, it means the user has a non-SSO account in EthosCE and you may try and move that account out of the way by changing the user's email address or username on the EthosCE side. Then have the user log back in with the SSO account, which will create a new account in EthosCE for the user. You may then merge accounts (non-SSO → SSO) is needed. NOTE: These steps may not work if you had a custom SSO implementation.
If you find an authentication name/ID, be sure it matches what your SSO vendor has tied to the account. If there is a mismatch, we will need to know which account to keep. You may try and move that account out of the way by changing the user's username on the EthosCE side. Then have the user log back in, which will create a new account in EthosCE for the user. You may then merge accounts (non-SSO → SSO) is needed.
You may filter the logs by the user's username. Link us to any message or error that pertains to the user logging in. This could help identify if perhaps a duplicate identifier or a mismatched authentication name is being sent to EthosCE via SSO.
4. Did the metadata file expire recently? Please check the recent log messages (Admin Wrench → Administration → Reports → Recent log messages). If there is an error similar to 'SimpleSAML\Error\Exception: Could not find the metadata of an IdP with entity ID,' then we would need a new metadata file provided to us.
Admin cannot masquerade in as a learner.
Is the learner an SSO user? If so, you will most likely need to use a non-SSO account to login and masquerade. This is because two SSO accounts will conflict with masquerading.
Make a 2nd(non-SSO) account for yourself and make your account a site admin:
Logout and log in as that new non-sso account at /user/login2