it’s been a while since I dealt with it and can’t really say that I recall much but I can tell you that there was relatively recent change to SAML configs in BF within the last year or so) where they started enforcing that “trusted issuer” for the specific SAML authenticator needs to match what the vendor sends back and if they do not it rejects the login attempt (used to be you can put anything and didn’t matter cause it wasn’t matching the value). I had to get one of our authentication experts, who guided me to install SAML tracer add-on the browser, and that allowed us to track down the response sent back from authenticator and compare it to what the config had, to match the expected value vs the one in reality. Also, the “trusted issuer” is vastly different to what it would be depending what kind of authenticator service you are using (had it initially working with ADFS and then migrated to Okta, the two were completely different). Hope this helps you.