I have the same case for my client. We are using SAML 3.1 with MX 9.x. New policy about metadata are leading to a lot of issues. It sounds like it better to either correct IdP response or fix workflow in java mx validators for this sso. SSO module should be well tested before release imho.
This is because they use the strict policy now in the new modules. Unfortunately you can not select the other policies yet because they have not yet be implemented.
Double check your SAML logs and check the Issuer and in the response message the AudienceRestriction. They should match. There was in issue with IdP Okta that added an extra slash at the end which made that the issuer was different from the audiencerestriction. But that has been fixed on the Mendix side by some changes in the Java code. So I do wonder which IdP you are using and what those values are in your case. You might want to create a support ticket for this if you can not resolve it yourself.
[EDIT] I now see you use Okta. Are you sure you are using the latest SAML releases?