Unable to validate incoming SAML assertion (The Issuer in the SAML response did not match the Issuer configured for the Identity Provider.)

I have set up an external Identify Provider and am running into an issue of Okta saying that it cannot validate the incoming SAML assertion due the the Issuer in the response not matching the issuer configured for the Identity Provider. However, using a SAML tracer it appears as though the Issuer is in fact what I have specified, making me think the error being reported in the Okta logs is wrong and it might be invalid for another reason.

Is it possible that this error is returned incorrectly if it is invalid for another reason, such as the time stamp being in a different format that Okta doesn’t understand (for max skew - I noticed the one in the assertion doesn’t contain milliseconds) or something like that?

Thank you for the help!

Hi @jpetryk

Can you please open a support ticket with us through our Community Portal or by email at support@okta.com to have this issue further investigated by one our support engineers?

For anyone that runs into a similar issue and lands on this topic, I wanted to follow up. It turns out Okta’s log messages are pretty good. I was interpreting where it was looking and validating the Issuer from incorrectly because after some collaboration with the other end of the SSO configuration (we do not control that end, unfortunately), we figured out that they weren’t including the Issuer with the response.

Following that, we moved on to another error in the Okta logs, which was indicating that the “Audience” that the assertion was specifying did not match the IDP settings in Okta. Again, this was indeed wrong on the other end of the SSO configuration. Once this value was fixed, it resolved our issues.

Moral of the story: in at least our case, the logs were quite accurate in determining what was wrong. In these types of messages, they were indications of misconfigurations on the non-Okta end of the SAML configuration (which in this case, is the IDP end).

Hey, I am facing the similar issue, can you guide me through configuration of exactly what wrong values I am adding