3553529 - Failed to create SAML error response Configuration for trusted SP [null] does not exist

• SSO for SuccessFactors.
• Identity Authentication acts as a proxy to delegate the authentication to OKTA as corporate identity provider
• In SP-initiated scenario, after redirect to IAS from OKTA, the following error occurs:
  • Identity provider cannot process the response due to wrong configuration. Please contact your system administrator. 
    
• The following errors in Troubleshooting log are visible:
  • "Failed to forward to error page. Cannot forward after response has been committed Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
    "Failed to send response. response parameter is null. Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
    "Failed to forward to error page. Cannot forward after response has been committed Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
    "Failed to create SAML error response Configuration for trusted SP [null] does not exist. Correlation ID: XXXXXX-XXX-XXXX-XXXXXXXXXX "
    "Failed to read error response. Invalid SAML response: null Correlation ID: "XXXXXX-XXX-XXXX-XXXXXXXXXX "
    
    
• In IAS admin console, the "Assertion Consumer Service Endpoints" of "SAML 2.0 Configuration" in tenant settings is "https://<tenantid>.accounts.ondemand.com/saml2/idp/acs/<tenantid>.accounts.ondemand.com" and in OKTA, the "Single Sign On URL" is the same value
  
  
• In the SAML trace the destination below is visible where the issuer is the SP:
  
  • Destination="https://<tenantid>.accounts.cloud.sap/saml2/idp/sso/<tenantid>.accounts.ondemand.com"
  • <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://www.successfactors.com/<mycopnaycode></saml2:Issuer>

• SAP Cloud Identity Services - Identity Authentication (IAS)
• OKTA Identity Provider

IAS, OKTA, Common Super Domain, Identity Authentication, error, fail, Requestable SSO URLs , KBA , BC-IAM-IDS , Identity Authentication Service , Problem