This is awesome @Ryan_Downey , thanks for taking the time to document your experience. I'll add a few clarifications in case these prove helpful for others too.
I would expect that error to be: [SAML Response is not a 'success' response: Code=urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy Message=null Detail=null]
We have recently updated our documentation to explain why this can happen, see #5 in : Common SAML issues | Elasticsearch Guide [master] | Elastic
Just a comment here that this is not about the SAML version, this is still SAML2.0 and it is the only version of the standard that the Elastic Stack supports. This is about the format of the NameID where the URN didn't change in SAML 2.0 compared to SAML 1.1 and remained urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified . This means that ADFS by default releases NameIDs with urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified format instead of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent format.
Browser plugins decoding SAML messages are very helpful for troubleshooting, I just wanted to point out that this information is also logged at TRACE level in the elasticsearch.log as discussed in the last bullet in Common SAML issues | Elastic Stack Overview [7.4] | Elastic.