I’m new too this, but when I do a SP SSO it goes off the IDP all fine but attaches what looks like a certificate in the ?SAMLRequest= parameter in the query string, is there a configuration setting that turns this off as the IDP (OKTA) is failing with a bad request because of that query string attachment,

The SAMLRequest query string parameter contains the SAML request (eg authn request) only. If the request is signed then you’ll also see SigAlg and Signature query string parameters.
You can turn off signing the authn request by setting the SignAuthnRequest attribute of the element in your saml.config. This attribute defaults to false.
It may be that there’s some other issue causing the failure at the IdP. They should be able to provide more specific error information. You can then update your SAML configuration as required.