Hi Michael Sullivan ,
I'm not sure if you had a chance to review my previous comment, but I had a discussion with the product team and learned that the error AADSTS76026 is mapped to the exception code
RequestIssueTimeExpired, which suggests the IssueTime in a request is expired.
In your case, the failure happened at PerformSignatureValidation: the SAML IssueInstant was more than 10 minutes. You received the following error:
1:Expired grant blob key use detected.66:Signature verification failed: too old request, valid to 01/27/2023 14:11:32
It's possible that you have signature verification enforced or need to verify that the public certificate of the settings that you have register for the IdP is the right value. If this error still does not make sense, I would recommend a Fiddler trace covering the full flow to better understand how the signature time in their auth request gets so old. Sometimes this is caused by clock skew issues.
Let me know if this helps and feel free to share any fiddler traces you are able to collect. I'm also happy to discuss this over email if you prefer.
If the information helped you, please Accept the answer. This will help us as well as others in the community who might also be researching this error.