Setup of SAML between Okta and a NetScaler.When doing Idp initiated authentication, this works for the first time. When doing it a second time, the process fails with an "http/1.1 Object not found error" on the Authentication page. 

Here a configuration that can be used to resolve the issue:

>add lb vserver test_lb SSL 1.1.1.1 443 –authentication ON –authenticationHost csug.company.com –authnvsName <name-of-auth-vserver>
>add csaction cslb –targetvserver test_lb
>add cs policy cslb –rule true –action cslb
>bind cs vserver <> -policy cslb –pri 10

We verified on the real environment and found that now the function is working as expected. For now the issue is under analysis and it will be verified in the major release as far as design is considered.

Problem Cause

Based on the log message and extensive troubleshooting we reached Developers team for the same. Based on the analysis done:
Gateway/AAA servers do not expect protocol requests on an existing session. That’s why there is a 404.  One way to avoid is by changing configuration slightly. Instead of sending traffic to AAA vserver (behind CS), please have it sent to LB vserver. Currently, there is no LB behind the CS in picture. Please add one and send this to lb vserver. LB should be enabled for authentication and point to AAA vserver. You can reuse current vserver itself. That would avoid this 404.