Horizon Client authentication failure

Got a good tip from the guy working the ticket with me from F5. I get an expected cert behavior now since I put the trusted CAs and intermediate CAs all in one bundle (never had to do that before - but then again I've never used horizon's client through an F5 either). Now I get prompted for my cert and enter my PIN - and now I'm failing at the SAML level. The error from the client says: "SAML Authenticator disabled/removed. Please contact your Administrator for help." When I look at the log from the connection server (which is the SP), I see that it has submitted authentication to the IdP (F5), the F5 then sends back an assertion to the SP where I start to see errors like: "Could not match with any enabled SAML authenticator for the given issuer in the assertion" and "SAML access denied because of invalid assertion/artifact" and "Enabled SAML Authenticator's Issuer/entityId not matched with SAML Artifact /Assertion." Any ideas?