When using SAML is there anything preventing a malicious customer of a Service(SP) configuring entering fake certificates for Okta as an IdP? Okta uses unique signing credentials per-tenant. So I can’t trust a single certificate for all Okta customers. So how can I verify the certificate provided by the user is from Okta?
You can set up a Settings page for customers to add their configuration from Okta and save them in a database. When there is a SAML response coming from Okta, you can retrieve the configuration from the database and then pass it in the verification logic to validate the assertion and create the session inside the application.