This seems to be a popular error of late. I have tracing enabled, so I can send along that log in it's entirety if it'll be helpful. It looks like the values of metadata entityID matches the saml.config name property, which matches the value of Issuer in the response, so ... I'm stumped. I've used this same code in a half-dozen or more SAML integrations without issue, but I'm really stuck this time around.
iDP metadata (anonymized)<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://login-test.cc.example.org/idp/shibboleth">
<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">example.org</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
<!-- removed -->
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login-test.cc.example.org/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://login-test.cc.example.org/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login-test.cc.example.org/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>
</EntityDescriptor>
My saml.config file - I've verified that this is the file being read (based on messages in the trace file):
<?xml version="1.0" encoding="utf-8"?>
xmlns="urn:componentspace:SAML:2.0:configuration">
<ServiceProvider
AssertionConsumerServiceUrl="~/SAML2/AssertionService"/>
<PartnerIdentityProvider
SignAuthnRequest="false"
PartnerCertificateFile="C:\InVision\config\system\idp_sso_cert.crt"
WantSAMLResponseSigned="true"
WantAssertionSigned="false"
WantAssertionEncrypted="false"
UseEmbeddedCertificate="false"
SingleLogoutServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
</SAMLConfiguration>
The response from the idP looks like this (in part - I've trimmed signatures, and most of the assertion out)
ID="_f4fa858382d868a92357cd2894bd194f"
InResponseTo="_3a733731-7104-4b94-9c99-3992a41bd45f"
IssueInstant="2019-02-01T19:12:24.427Z"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">