As a solution, you have to indicate in the KLA configuration screen the “User-Agent to send during HTTP authentication” with one of the User-agent strings that are configured in your ADFS. You can ask it to your ADFS administrator.
Cause 3: During the Single-Sign-On authentication process, the requests to the IDP is passing through a proxy. If Extended Protection is enabled in your ADFS, some proxies can cause that ADFS rejects the credentials.
If your IDP is located in the local intranet, you may need to add the IDP’s hostname in the list of No Proxy Hosts to avoid passing through the proxy when KLA tries to authenticate against your IDP.