ID4220: The SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken

This error occur when attempting to execute a SharePoint App on a site configured to use SAML (i.e. Azure ACS).  The parent SharePoint Site works just fine using Azure ACS.

Initially this site was configured for anonymous access, but the SharePoint App would cause 500 Internal Server Error, so no anonymous on Sites with SharePoint App.

Also for SharePoint App to run it must be in the Default Zone; running in a different zone also resulted in 500 Internal Server Error.  (If this is the case using a SharePoint App then extending a Site or using AAM will break the App?)

Next Azure ACS fails because the SharePoint App needs a different Return Url (https://<SharePoint App FQDN>/_trust/default.aspx), so new realm in ACS was created, but using the same SPTrustedRootAuthority.

This new realm was added to the SPTrustedIdentityTokenIssuer:

$issuer = Get-SPTrustedIdentityTokenIssuer
$issuer.ProviderRealms.Add($uri, $realm)
$issuer.Update()

How to configure SharePoint App to run using Azure ACS enabled zone (Default Zone).

What additional configurations are missing with the above error:

[SecurityTokenValidationException: ID4220: The SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements, extend Saml11TokenSerializer and override ReadToken.]
   Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token) +1544
   Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +113
   Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +156
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +601
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +539
   Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +207
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +182
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +183