With Entra ID as the Identity Provider (IdP) and Okta as the Service Provider (SP), the following errors may be seen when attempting to sign into Okta:
 

Authenticate user via IDP FAILURE: Unable to validate incoming SAML Assertion
 

The digital signature in the SAML response did not validate with the Identity Provider's certificate

• Entra ID
• Single Sign-On (SSO)
• Certificate error

The certificate uploaded to Okta from Entra ID is either expired or incorrect and does not match the current, valid certificate downloaded from Entra ID.

1. Download the certificate from Entra ID by navigating to Microsoft Entra admin center > Applications > Enterprise applications > [Enterprise App Name] > Single sign-on > SAML Certificates > Certificate (Base64).

2. Delete the certificate in the Okta Admin Console by navigating to Security > Identity Providers > select the [Name of IdP] > click Actions dropdown menu > select Configure Identity Provider > click Edit >  click X in the IdP Signature Certificate section.   

3. Upload the new certificate downloaded from Entra ID.