Users of a configured Security Assertion Markup Language (SAML) application are reporting an issue where, after authenticating, they are not sent back to the application. Instead, they are redirected to https://{OktaOrg}/app/UserHome, followed by an error redirect to:
/error/400_SAML?stateToken
- Security Assertion Markup Language (SAML)
- Single Sign-On (SSO)
- Okta Identity Engine (OIE)
An incorrectly configured ACS URL can cause this issue.
Review the Application Integration Wizard SAML field reference and ensure the Assertion Consumer Services (ACS) URL value for the Service Provider (SP) is valid. If the flow is SP-initiated, ensure that any ACS URLs sent in the SAML request to Okta have been appropriately added to the Single Sign-On URL or to the list of Other Requestable SSO URLs for the application.
Alternatively, consider enabling Signed Requests to validate all SAML requests using the SP's Signature Certificate. In this configuration, the payload from the SAML request is validated, and Okta dynamically reads any SSO URLs from the request.
