Issues connecting BizTalk 2013 WCF to Microsoft CRM 2011 using ADFS

I have a Microsoft CRM 2011 instance I'm trying to connect to from BizTalk 2013 using WCF. The CRM instance is using ADFS based security and basic "domain/user" "password" security. The OrganizationService has the following policy in the WSDL.

<wsp:Policy wsu:Id="CustomBinding_IOrganizationService_policy">
  <wsp:ExactlyOne>
    <wsp:All>
      <ms-xrm:AuthenticationPolicy xmlns:ms-xrm="http://schemas.microsoft.com/xrm/2011/Contracts/Services">
        <ms-xrm:Authentication>Federation</ms-xrm:Authentication>
        <ms-xrm:SecureTokenService>
          <ms-xrm:Identifier>http://example.com/adfs/services/trust</ms-xrm:Identifier>
        </ms-xrm:SecureTokenService>
      </ms-xrm:AuthenticationPolicy>
      <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <wsp:Policy>
          <sp:TransportToken>
            <wsp:Policy>
              <sp:HttpsToken/>
            </wsp:Policy>
          </sp:TransportToken>
          <sp:AlgorithmSuite>
            <wsp:Policy>
              <sp:Basic256/>
            </wsp:Policy>
          </sp:AlgorithmSuite>
          <sp:Layout>
            <wsp:Policy>
              <sp:Strict/>
            </wsp:Policy>
          </sp:Layout>
          <sp:IncludeTimestamp/>
        </wsp:Policy>
      </sp:TransportBinding>
      <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
        <wsp:Policy>
          <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
            <Issuer xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
              <Address xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</Address>
              <Metadata xmlns="http://www.w3.org/2005/08/addressing">
                <Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                  <wsx:MetadataSection xmlns="">
                    <wsx:MetadataReference>
                      <Address xmlns="http://www.w3.org/2005/08/addressing">
                        https://example.com/adfs/services/trust/mex
                      </Address>
                    </wsx:MetadataReference>
                  </wsx:MetadataSection>
                </Metadata>
              </Metadata>
            </Issuer>
            <sp:RequestSecurityTokenTemplate>
              <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
              </trust:KeyType>
              <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
              <trust:Claims xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
                <wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"/>
              </trust:Claims>
              <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
              <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
              <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
              <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
              <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
            </sp:RequestSecurityTokenTemplate>
            <wsp:Policy>
              <sp:RequireInternalReference/>
            </wsp:Policy>
          </sp:IssuedToken>
        </wsp:Policy>
      </sp:EndorsingSupportingTokens>
    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

I've set up the following client configuration:

 <binding name="ws2007FederationHttpBinding">
   <security mode="TransportWithMessageCredential">
     <message>
       <issuer address="https://adfs20.example.com/adfs/services/trust/2005/usernamemixed"
       binding="wsHttpBinding" 
       bindingConfiguration="stsBinding" />
       <issuerMetadata address="https://adfs20.example.com/adfs/services/trust/mex" />
     </message>
   </security>
  </binding>

And referencing this for adfs specific communication

<wsHttpBinding>
  <clear />
  <binding name="stsBinding">
    <security mode="TransportWithMessageCredential">
      <transport clientCredentialType="None"/>
      <message clientCredentialType="UserName" establishSecurityContext="false"/>
    </security>
   </binding>
</wsHttpBinding>

As I try using it I get the receive the following error message

A message sent to adapter "WCF-Custom" on send port "SendPort6" with URI "https://crm-test.example.com/XRMServices/2011/Organization.svc" is suspended. 
 Error details: System.ServiceModel.FaultException: MSIS3127: The specified request failed.

Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.Tokens.IssuedSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.TryGetSupportingTokens(SecurityProtocolFactory factory, EndpointAddress target, Uri via, Message message, TimeSpan timeout, Boolean isBlockingCall, IList`1& supportingTokens)
   at System.ServiceModel.Security.TransportSecurityProtocol.SecureOutgoingMessageAtInitiator(Message& message, String actor, TimeSpan timeout)
   at System.ServiceModel.Security.TransportSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState correlationState)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open()

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at System.ServiceModel.ICommunicationObject.Open()
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.GetChannel[TChannel](IBaseMessage bizTalkMessage, ChannelFactory`1& cachedFactory)
   at Microsoft.BizTalk.Adapter.Wcf.Runtime.WcfClient`2.SendMessage(IBaseMessage bizTalkMessage) 
 MessageId:  {0A8D8BB1-0838-43AF-B3A1-D63D432C22AA}
 InstanceID: {B57B4979-2187-4CF7-8115-4D65B3952982}

What am I missing?