Unable to authenticate with SAML in Azure AD

I have setup the enterprise application in Azure AD for SAML authentication, and configured the Enrollment server, the enrollment service user, the nla user, and the SAML connection in the RAS console. Everything seems to check out, but when my user tries to authenticate to the Secure Gateway, I get the following error, and get returned to the Secure Gateway login page.
"Logon using SAML failed. Error: Failed to validate and decrypt the response. (0X00000009)"
I'm sure I am missing something simple, but I have been banging my head against this for a while now and seem to be stuck. If anyone has seen this before and can point me in the right direction I'd appreciate it.

 

Ok, figured out my own problem. I used the app federation metadata url to import the configuration for the IdP in the RAS console. It did not import the certificate correctly, so I went back and exported the certificate from Azure AD for the SAML enterprise app I created, and then imported that into the SAML connection in RAS, and now it works.