After setting up Salesforce with Secure Assertion Markup Language (SAML), the login flow fails with the following error visible on the Salesforce landing page:

The audience in the assertion did not match the allowed audiences.

• Secure Assertion Markup Language (SAML)
• Salesforce
• Error

There are a couple of reasons this issue can occur:

• The Entity ID in Salesforce is case-sensitive.
• If configuring this on a sandbox, the entity ID needs to be the production URL.

• Manually edit the Entity ID in the Salesforce settings (as detailed in Step 6 in the Salesforce Setup Guide) to ensure an exact match between Okta and Salesforce, including uppercase and lowercase letters.
• If configuring this on a sandbox, the entity ID should be the production URL, that is, "https://mydomain.my.salesforce.com" and not "https://mydomain--mysandbox.sandbox.my.salesforce.com".
• On the Okta side, the domain should be "mydomain" and not "mydomain--mysandbox" or "mydomain--mysandbox.sandbox" as indicated by the help text there.