What is occurring?
When configuring Azure SAML SSO for the first time, it is possible for the Azure to create a certificate with the wrong issuer of accounts.accesscontrol.windows.net.
What should I look for?
What the certificate looks like when misconfigured:
Decoded with: openssl x509 -in test.crt -text -noout
What the certificate should look like:
How to retrieve a correctly configured certificate?
It's not clear why/how Azure provides certificates with the Issuer as accounts.accesscontrol.windows.net and not Microsoft Azure Federated SSO Certificate.
The following steps have worked in the past:
Before you download the certificate, click Edit. After the SAML Signing Certificate modal appears, click X.
If the certificate continues to have the incorrect Issuer, the Enterprise App may need to be recreated, or a Microsoft Ticket may be required.