I am being authenticated. But then there is a value mismatch for the properties, so everyone is being logged in as the same user.
I am using the following values now (have tried many mixes):
ID Property: id
First Name Property: givenname
Last Name Property: surname
email address property: emailaddress
Here is the SAML payload back (with GUID's blah'd out)
<samlp:Response
Destination="https://us-api.someplace.net/v1/applications/BLAH/auth/Azure/return"
ID="_c7b55105-9121-46ec-a01e-BLAH" InResponseTo="_e1d3347c8734242cee52"
IssueInstant="2020-12-01T22:09:34.913Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/98a530c8BLAH/</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_652287a7-ae18-BLAH" IssueInstant="2020-12-01T22:09:34.908Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/98a530c8-5cb7-BLAH/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_652287a7-ae18-BLAH">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>OxxzYasY4vQlCbWTclBFfQbCs3cRuxbTShz6mhQSEm0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>PoYC1F8g0tRNkqlfoMwRi73k0Hh7afU8+TbApBLAHWfzsKEAe5pG0/gwjgroHrGr5oCEou/pNMCoa6iKmtYfUdNetfhvvLNVZm4YY37Qbzp1bvfneJu6PMQjj+hal8VcVSwYbKUAmk+3SnDYCMqanKtFsA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDBTCCAe2gAwIBAgIQQiR8gZNKuYpH6BLAH/+dXihcHzLEfKbCPw4/Mf2ikq4gqigt5t6hcTOSxL8wpe8OKkbNCMcU0cGpX5NJoqhJBt9SjoD3VPq7qRmDHX4h4nniKUMI7awI94iGtX/vlHnAMU4+8y6sfRQDGiCIWPSyypIWfEA6/O+SsEQ7vZ/b4mXlghUmxL+o2emsCI1e9PORvm5yc9Y/htN3Ju0x6ElHnih7MJT6/YUMISuyob9/mbw8Vf49M7H2t3AE5QIYcjqTwWJcwMlq5i9XfW2QLGH7K5i8</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">UxWm4yq0nyl5aSgGb6eeUU219sCJvBXVpy2qYx6JfDQ</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_e1d3347BLAH"
NotOnOrAfter="2020-12-01T23:09:34.803Z"
Recipient="https://us-api.someplace.net/v1/applications/BLAH/auth/Azure/return"/></SubjectConfirmation>
</Subject>
<Conditions NotBefore="2020-12-01T22:04:34.803Z" NotOnOrAfter="2020-12-01T23:09:34.803Z">
<AudienceRestriction>
<Audience>spn:870d0f1f-9a38BLAH</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>98a530c8-5cb7-BLAH</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>1b0d1322-ae04-4c0dBLAH</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>ken@sompleace.net</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>curtis</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>ken</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>ken curtis</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>kencurtis@someplace.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/98a530c8BLAH/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2020-12-01T22:09:32.817Z"
SessionIndex="_652287a7-ae18-4c36-9a19-140d44265e00">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>