the documentation for SAML delegated authentication provides configuration parameters examples for keycloack, while this community guide provides the same for Okta.
You may extrapolate from them.
The access.log line you shared may not be the one for the refused request, can you make sure about it (by matching the time info)?
And of course, when you redact logs or parameters, please use something like ‘sonarqube.mycompany.com’ for SonarQube URLs, and like ‘idp.mycompany.com’ for IDP related addresses, otherwise it all gets a little confusing…
Best.
Sylvain