In a setting where Okta is employed as the Service Provider (SP) and OneLogin as the Identity Provider (IdP) in a custom SAML 2.0 application, the following error may be encountered: 

The recipient specified in the SubjectConfirmation did not match our service provider entity id.

This error typically arises when attempting to authenticate users via SAML 2.0.

• Custom SAML 2.0
• Okta as Service Provider (SP)
• OneLogin as Identity Provider (IdP)

The root cause of this issue generally traces back to a misconfiguration in the EntityID URL or Recipient URL settings within Okta. Precisely, the EntityID URL within Okta for the SAML 2.0 application may not match the corresponding URL from OneLogin IDP configuration details or the Recipient URL may not be correctly populated with the Assertion Consumer Service (ACS) URL.

1. Login to Okta admin dashboard.
2. Navigate to the specific application configuration.
3. Verify the EntityID URL in the OneLogin IDP configuration details. It should match the EntityID URL configured in the custom Okta SAML 2.0 application. If not, correct it.
4. Check the Recipient URL in the OneLogin IDP configuration details. It should be populated with the ACS URL in the custom Okta SAML 2.0 application. If not, update it.
5. Save the changes and retry the custom SAML 2.0 authentication.