In fact, the SAML authentication is setting a random value in the “RelayState” HTTP parameter and in a cookie before the call to the IdP-initiated login.
Then, during the callback, SonarQube expects to receive this value in the “RelayState” HTTP response, and check that the value is the same than the one in the cookie.
When using Okta, there seems to be no “RelayState” HTTP response during the callback.