The SP has metadata for the IdP with the wrong certificate in it or your IdP isn't using the one that's in that metadata. When two sides don't agree there's no way to know which is wrong, only that one is. -- Scott