RonC.08242 (Customer) asked a question.
Basic setup for logins in our environment passes from Google (Workspace) to Okta.
(user tries to login to google service, login flow passes to okta, and for google workspace applications, the user session/experience returns back)
When trying to use other applications, though, a user will try to setup the account for something like Thunderbird, or Gnome... which will detect that an account is a google endpoint, and sends the login screen to google, google forwards over to okta, okta gives a 404 message, with the option to "go to homepage".
Looks like I *may* be having this problem (others have had similar issues): https://support.okta.com/help/s/question/0D54z00007JUq3iCAD/using-okta-with-thunderbird?language=en_US
Seems like a non-optimal solution, though.
Hints/Documentation on how to get this kind of thing working correctly?
Answering my own question, we had set up the Google workspace application (in Okta) several times, and when copying settings from one iteration to another, a change was missed.
Specifically, in the google admin control panel for the workspace, under "Security > Authentication > SSO with third-party IDP", the "SIgn in page URL" was still using an older string.
It was missed on visual inspections because both the old, and new, strings had 'app/google/exk ... 696/sso/saml' as the leading and trailing characters.
Once the URL was updated, Thunderbird started working correctly, Gnome's "Online Accounts" stated working correctly, MacOS "Internet Accounts" started working correctly, a number of intermittent problems our users were seeing could all be tracked back to that one setting.
Related document for reference: https://support.okta.com/help/s/article/Receiving-404-error-when-attempting-to-sign-into-application?language=en_US