When the user is authenticating via Security Assertion Markup Language (SAML), the Single Sign-On (SSO) may fail due to an error like this:

400: Bad Request GENERAL_NONSUCCESS

In the system logs, the following are seen in the event:

ErrorMessage: The recipient specified in the SubjectConfirmation did not match our service provider entity id.

This usually indicates an entity ID mismatch. However, the ACS is being mismatched due to an internal error.

• Single Sign On (SSO) 
• Super User
• Subdomain
• Security Assertion Markup Language (SAML)

The subdomain in the Super User has capital letters. Which, by design, should not even allow it to be saved that way, but there are cases where it occurs.

The Assertion Consumer Service (ACS) URL must be updated on the Identity Provider (IdP) end to match the ACS URL that is provided within the SAML IdP configuration in Okta. However, the domain portion of the URL should be replaced with the domain obtained from the Super User.

Here is a step-by-step process:

1. Navigate to the Okta Admin Dashboard, proceed to Identity Providers, and select the desired provider. Here, note the ACS URL. It might look something like this: https://test_domain.okta.com/sso/saml2/<IDPid>

2. Note the domain from the Super User. For example, it could be: TesT_Domain.

3. Now, replace the domain part of the ACS URL with the Super User's domain. The updated ACS URL will look like this: https://TesT_Domain.okta.com/sso/saml2/<IDPid>.

4. This updated ACS URL should be configured on the IDP side to ensure seamless SAML communication.