We're trying to setup Spring Security with the SAML bit as an SP. We're going against a Novell Access Manager IDP. We think everything is okay on both ends, but when we try to login, the SP (spring security) barfs with this error:

Authentication request failed - Error validating SAML message

The catalina.out on the spring side shows (well this is a snippet of it):

Code:
- Single certificate was present, treating as end-entity certificate
- Credentials successfully extracted from child {http://www.w3.org/2000/09/xmldsig#}X509Data by provider org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider
- A total of 1 credentials were resolved
- Registry could not locate evaluable criteria for criteria class org.opensaml.xml.security.keyinfo.KeyInfoCriteria
- Attempting to validate signature using key from supplied credential
- Creating XMLSignature object
- Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl'
- Signature validated with key from supplied credential
- Signature validation using candidate credential was successful
- Successfully verified signature using KeyInfo-derived credential
- Attempting to establish trust of KeyInfo-derived credential
- Failed to validate untrusted credential against trusted key
- Successfully validated untrusted credential against trusted key
- Successfully established trust of KeyInfo-derived credential
- Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}ArtifactResponse
- Authentication via protocol message signature succeeded for context issuer entity ID https://nam-idp-test.something.com/nidp/saml2/metadata
- Successfully decoded message.
- Checking SAML message intended destination endpoint against receiver endpoint
- SAML message intended destination endpoint in message was empty, not required by binding, skipping
- Extracting ID, issuer and issue instant from status response
- Evaluating security policy of type 'org.opensaml.ws.security.provider.BasicSecurityPolicy' for decoded message
- SAML protocol message was not signed, skipping XML signature processing
- Successfully decoded message.
- Checking SAML message intended destination endpoint against receiver endpoint
- SAML message intended destination endpoint in message was empty, not required by binding, skipping
- Authentication attempt using org.springframework.security.saml.SAMLAuthenticationProvider
- AuthNResponse;FAILURE;134.179.227.253
- Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
- Updated SecurityContextHolder to contain null Authentication
- Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@7e91259
- No failure URL set, sending 401 Unauthorized error
- SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
- SecurityContextHolder now cleared, as request processing completed
- Executing metadata refresh task