Adobe Experience Manager Sites & More

Hi,

We have few gated applications with the saml authentication and Okta as IDP platform.

On Okta, we have created a certificate for one gated application and uploaded to AEM. All the functionalities are working as expected  for that gated application.

Whenever trying to login to the other gated applications, it is redirecting us to the /error/404.html

Looks like one certificate will work for only one application. We can create multiple certificates on Okta, but On AEM we are unable to upload more than one certificate. If we try to upload new certificates it overrides the old one and gives us the new cert_alias name.

How can we upload multiple certificates to the publisher?

Also, we are seeing the below error in the saml.log

We are seeing the below error in saml.log
01.12.2021 10:56:44.366 *INFO* [qtp2145671214-11099] com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token

Solutions tried/ observations :

1. serviceProviderEntityId and audience value returned are same

2. /libs/granite/csrf/token.json - returns null after login 
      a. Dispatcher rules are verified and looks good

3. login-token is not generated after login 

4. Apache Sling Referrer Filter - allowed IDP host and methods

Any pointers would be appreciated.