3229323 - Corporate IdP OKTA: Identity provider cannot process the response due to wrong configuration

• • A new Service Provider (SP) was purchased (for example, S/4HANA Cloud). In SP-initiated scenario, using Okta as the corporate Identity Provider (IdP) and Identity Authentication Service (IAS) as the proxy, the following error appears when trying to authenticate on Okta and access the Service Provider (SP):
    
    
  • Error : Identity provider cannot process the response due to wrong configuration. Please contact your system administrator. 
    
    
• Meanwhile in the troubleshooting log the following entries are visible.:
  
  
  • Failed to create SAML error responseConfiguration for trusted SP [null] does not exist.
    SAML validation error.HTTP request contains no cookies.
    Failed to forward to error page.Cannot forward after response has been committed Id
    Failed to send response.response parameter is null.
    
    
• In OKTA, the "Requestable SSO URLs" has such entry:
  
  
  • https://<tenantid>.accounts.ondemand.com/saml2/idp/acs/<tenantid>.accounts.ondemand.com
    
    

• In the SAML trace the destination below is visible where the issues is the SP:
  
  
  • Destination="https://<tenantid>.accounts.cloud.sap/saml2/idp/sso/<tenantid>.accounts.ondemand.com"
  • Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://myxxxxx.s4hana.cloud.sap</saml:Issuer>
    
    

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

• SAP Cloud Identity Services - Identity Authentication (IAS)
• OKTA Identity Provider

troubleshooting log, SAML, OKTA, IAS, Identity Authentication, IdP, SSO, Identity Provider, Single Sign-On, single sign on, process, response, trust, trusted, SP, Service Provider, Service-Provider, S/4 Hana, Hana, S4, login, logon, authenticate, fail, failed, request, cookies, exist, error  , KBA , BC-IAM-IDS , Identity Authentication Service , Problem