If you face “Error: User does not have access to this service provider” exception, then the Profile doesn’t have access to the Connected App create as part of the Single Sign On.
In the SAML tracer, you will find “urn:oasis:names:tc:SAML:2.0:status:AuthnFailed”.
You can use SAML Tracer extension and check SAMLStatusMessage and SAMLStatusCode values.