I sort of made Azure AD's SAML2 IDP interwork with PingFederate SAML2P SP - albeit the latest verison.
We don't run the latest version. We run the version that was compliant a couple of years ago - and uses the ciphersuite of a couple of years ago. We can find NOONE (strangely) willing to pay for the upgrade (of ciphersuite) that comes with the vendor's support world. Perfectly normally... except that there is no one willing to pay to the assurance/cipher-strength
I recommend one of two fixes:
1. enable the Azure IDP to send a signed assertion (in a response); rather than the signed response. The reason is that its easy in Windows/DotNet to build a assertion consuming service that can process the former. It supports then the cipersuites that Windows/DotNET supports (which is always modern...). We are happy to pay Windows support fees yearly (being a fraction of a SAML server, even for 500 instances of windows).
2. Or, use the rsa/sha1 ciphersuite. Or at least make that latter configurable.
Remember folks you talk to in government and industry forums don't represent main street. They represent the main street ...as it should be (if you had billions of govt dollars to spent). The reality (outside govt contracting arrangements or bids) is somewhat different, paid a $1 an app at a time.