I am working through this tutorial, trying to get SAML SSO to work.
I am using Azure AD as the identity provider, and I have a local instance of AEM 6.4 running on my machine. To expose it to the internet, I am using a tool called ngrok.
I have also followed the instructions here to configure the SAML logger
When I attempt to log in, the logger reports these errors
com.adobe.granite.auth.saml.util.SamlReader Signature verification failed. No signature.
com.adobe.granite.auth.saml.model.Assertion Invalid Assertion: audienceRestrictions violated.
com.adobe.granite.auth.saml.SamlAuthenticationHandler Login failed. SAML token invalid.
com.adobe.granite.auth.saml.SamlAuthenticationHandler SAML error with reason: invalid_token detected, redirect user to: /libs/granite/core/content/login.error.html?j_reason=invalid_token
Here's how the app is configured in Azure:


Here is how it is set up in AEM:


Here's my Global Trust Store

Here's what it looks like when I try to log in with Azure

What am I missing?