SAML2 how to identify associated account for Okta

have been following the guidelines on Okta’s documentation on how to setup a SAML 2.0 auth as a Service Provider using Okta as IdP. Reference: SAML-enable your Python application | Okta Developer

And I’ve been using the code sample provided here: GitHub - jpf/okta-pysaml2-example: Example SAML Service Provider for Python/Flask using PySAML2

The authentication flow works, but I am confused on how my application would identify the associated Okta account. If I publish this application on Okta Integration network, the goal is anyone can use Okta to connect to my app.

But I receive a POST request on same endpoint that requires a metadata file to decode the SAML request. I assume that Metadata file (or at least the cert) would be different for each account, so how do I identify associated account from the incoming request to even decode the request.

Is there an identifier associated with each company’s Okta account that I’m missing somewhere in the POST request?

the issuer field will have a unique ID for each SAML application created in okta and this can be referenced based on the metadata used to establish the SSO connection

i.e <saml2:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity” xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>http://www.okta.com/exkj2af6uo6hmRH3C0h7</saml2:Issuer>

Thanks @Fuzzard but when a POST request comes from Okta to our server, I believe it’s encrypted, how do you identify account from it. We are using pysaml2 that uses the manifest to decrypt the request. But how do we identify the associated manifest to use to decrypt?