Hi @Brian
I would be checking that in ADFS you imported the public part of the SP SAML certificate in the encryption tab.
If you are in a cluster check that all servers have the same config.json settings in SAML mainly EnableEncryptionas if users hit different servers and the value is different they will not always get the error.
Also did you run the
Set-ADFSRelyingPartyTrust -TargetName -SamlResponseSignature “MessageAndAssertion”
That command sets ADFS to require encryption from the SP and ensures it is always sent back encrypted. Don’t think it is needed for it to work but worth checking.