<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configuring Entra ID as an Identity Provider Returns "400 general non_success" Error
Oct 8, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article outlines steps to troubleshoot and resolve the common 400 non_success error, seen when configuring Entra ID as an Identity Provider (IdP). The associated error message is: 

Unable to validate incoming SAML Assertion.

 

Applies To
  • Microsoft Entra ID / Azure Active Directory (AAD)
  • Identity Providers (IdP)
Cause

Two common scenarios can trigger this error:
 

Scenario 1

Okta System Logs show the error:
 

The Issuer in the SAML response did not match the Issuer configured for the Identity Provider.

Error Message

This can occur if:

  • The IdP Issuer URI provided by Microsoft lacks a trailing slash ("/") at the end, causing validation to fail.
  • The certificate downloaded from the Entra ID portal has a default file extension of .cer, which needs to be changed to .crt.

 

Scenario 2

Okta System Logs show the error:

 

The Identity Provider specified Conditions, but did not designate us as the target for these conditions. Found "{0}", expected "{1}".

Error Message

 

This happens when:

  • The Entity ID configured in Entra ID is incorrect.
 
 
Solution

Resolution for Scenario 1 

Solution 1: Update the IdP Issuer URI

  1. Log in to the Okta Admin Dashboard and navigate to Security > Identity Providers.
  2. Click the Edit button to update the IdP Issuer URI.
  3. If there is no "/" character at the end of the IdP Issuer URI, add one.
  4. Click Save to save changes.

Solution 2: Reapply the SAML Entra ID SAML Signing Certificate

  1. Log in to the Entra ID portal and re-download the certificate from the SAML Signing Certificate area.
  2. Change the extension of the certificate from .cer to .crt
  3. Log in to the tenant's admin console and navigate to the "Identity Provider" configuration page.
  4. Edit Entra ID IdP setting.
  5. Remove the old certificate and upload the new version.

 

Resolution for Scenario 2

  1. Log in to the Okta Admin Dashboard, navigate to Security > Identity Providers > select the configured Identity Provider for Entra ID.
  2. Click on Actions > Configure Identity Provider.
  3. Copy the Audience URI.

Audience URI

  1. Log in to the Entra Admin Center and go to Applications > Enterprise Applications > <Okta Application>.

Okta Application

  1. Click on Single Sign-On.
  2. Click Edit next to the Basic SAML Configuration header.
  3. Paste the Audience URI from step 3 in the Identifier (Entity ID) field.
  4. Click Save to save the changes.


If these resolutions do not work, open a case with Okta support and include any pertinent Okta System Log messages, plus the actions already taken to troubleshoot the issue.

Recommended content

Still looking for help?
Loading
Configuring Entra ID as an Identity Provider Returns "400 general non_success" Error