When setting up SSO/SAML, a test is done to log in as a user using SSO and is unsuccessful.  The SAML response may show something like the following (this error is specifically for Forgerock):

Caused by: javax.xml.crypto.MarshalException: It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 when secure validation is enabled

Inspecting what is being sent to SAML shows (note the bolded area):

<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://[awi-rul]/awi/</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="[URI]">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>[digest value]</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>

There may be a setting in the IdP with something like "enable client signature required".  To fix the issue, this may need to be turned off - an IdP admin will need to be consulted to find a setting like this.