We have a client who is using Okta as their IdP and are trying to set up SSO with our service provider. However, they are sometime running into a situation where if they start an IdP initiated login, they get a The SAML message doesn't contain an InResponseTo attribute exception message. However it sometimes works correctly for them, I'm not sure of the exact scenarios in which they fail vs succeed but they are all IdP initiated logins.
Furthermore, if they try to do a SP initiated login, they are redirected to Okta. After they put in their credentials, they are redirected to an Otka 404 error page, which I assume is because our SP returned with some kind of error (perhaps the same error as above). I'm not sure how to confirm the exact error they're getting however.
For each of our PartnerIdentityProviderConfigurations we are setting the OverridePendingAuthnRequest property to true. In the past we had some scenarios where an SP-initiated SSO was supplanted by an IdP-initiated SSO and this solved the issue. However is this causing an issue in this case? I believe I read if this property is set to true then the InResponseTo attribute must be set?
Any help debugging this issue would be much appreciated, thank you!