[keycloak-user] Keycloak as SAML Service Provider problem

Hi, I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP. I am trying to initiate login from Okta. After the initial user registration keycloak seems to fail while validating the signature on one of the SAML Responses. The error in the browser is invalidFederatedIdentityActionMessage and the stack trace is below. 20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-18) validation failed: org.keycloak.common.VerificationException: Invalid signature on document at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:83) at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.verifySignature(SAMLEndpoint.java:533) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:471) at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:239) at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) The X509 certificate is the same on both ends. Am I missing a configuration setting some place else? Any help would be apprectated. Some googling brings up some old bugs but I believe they are all fixed in 3.2.1. Thanks Drew Weirshousky