End users encounter the following error message when attempting to authenticate to Google Workspace applications (for example, Gmail, Calendar) via an SP-initiated Security Assertion Markup Language (SAML) flow with Okta as the Identity Provider (IdP).
The requested URL /a/cpanel/[domain]/a.….was not found on this server. That’s all we know.
- Google Workspace
- Single Sign-On (SSO)
- Security Assertion Markup Language (SAML)
- Service Provider (SP)-initiated authentication flow
- Okta Classic Engine
- Okta Identity Engine (OIE)
-
Missing RPID Value in Okta: The RPID (Relying Party Identifier) is required in Okta when using the new third-party SSO profile in Google Workspace. If the correct SSO profile is assigned to an Organizational Unit (OU), but the RPID value is not set in Okta, the SAML response is sent to an incorrect endpoint, resulting in a 404 error.
-
Legacy SSO Profile Configuration: Google Workspace utilizes
/a/[domain]/servicespaths for authentication flows. If the Legacy SSO profile option is enabled but not properly configured, authentication attempts may be directed to an endpoint that is no longer valid for users, leading to authentication failures.
To ensure both SP-initiated and IdP-initiated SSO flows function correctly for users, the RPID value must be configured in Okta. This allows Google to properly route authentication requests to the correct endpoint.
To extract the RPID value from Google Workspace, please follow the steps below:
- In the admin console, go to Security > Authentication > SSO with third-party IdP.
- Under the Third-party SSO profiles section, select the new profile created for Okta SAML.
- The RPID value appears at the end of the SP's Entity ID or ACS URL.
NOTE: Super admins in Google Workspace cannot authenticate via Okta SSO unless the Legacy SSO profile option is enabled. Unlike standard users, super admins do not use the RPID value for routing, meaning their SAML assertion must be directed through the legacy SSO profile to reach the appropriate endpoint.
