We would like to allow one of our clients to access Hudu (without having to add individual users as "Guests" in our M365 tenant), so I converted our SAML Application to be multi-tenant.

I am receiving two errors when logging in as a client user:

0="Doesn't match the issuer, expected: <https://sts.windows.net/<msp tenant ID>, but was: <https://sts.windows.net/<client tenant ID>/> 1=Invalid Signature on SAML Response"

0. "Doesn't match the issuer." I believe the documentation below is relevant here, as it explains the additional step that's required when validating issuers for a multi-tenant application.

1. "Invalid signature on SAML response." Unsure how to validate signatures on multi-tenant SAML responses. Perhaps the multi-tenant Federation Metadata (https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml) is needed?