What happened was our token signing cert auto rolled and the old one became the secondary and the new one became the primary. Sales Force needs manual intervention to fix this by uploading a new Identity Provider cert.
Log on to your ADFS server (I use Windows 2012 R2) and open ADFS Management, go to certificates:
Next locate the Token Signing area and double click the PRIMARY Token signing certificate:
Choose the Details tab and then select Copy to file. Follow the prompts and then save it as a DER file.
Once you have the file copied to your computer, log in to to your Sales Force account and go to the Single Sign On Settings. You will want to edit your Single Sign On Settings and browse to the Token Signing cert you exported earlier in the Identity Provider Certificate area:
Once you do that, your users should now be able to log back on using SSO.