Getting 'assertion is not a valid SAML 2.0 Assertion' when exchanging IdP SAML Assertion for Okta Auth Token

Hi, I have setup an external identifier in my okta tenant which after completing the authentication at the external IdP returns back a SAML Response (with success status) to the ACS Url. I am trying to exchange this Assertion for an AuthToken from Okta when I get this message. So in the ‘/oauth2/default/v1/token’ endpoint I am sending in the grant_type ‘urn:ietf:params:oauth:grant-type:saml2-bearer’ client_id that is valid to my okta application that supports the SAML 2.0 grant, scope of ‘openid’ and the assertion which is the base64 encoded SAML assertion that I received from the Idp at the ACS url. However I am getting the assertion is not a valid SAML 2.0 Assertion’ error back, no matter what I tried. Could you please help me figure out what I am doing wrong please. Thanks.

Some common reasons for this error can be found here.

Some Samples can be found here.

If the above common reasons does not help narrow down the issue you may want to open a support case. The backend logs often give more information on the failure reason, but we would need your Org details / etc to check.

1 Like