Two signing certs in SP MetadataProvider section?

[Mak, Steve]

XML signing cert and the response/assertion signing cert are not necessarily the same thing.

You should be explicitly clear with the IDP which cert is being updated.

There's a strong chance "updating their signing certificates" means just the response/assertion signing certs are changing and NOT the XML signature pub cert.

Typically you can compare the hinted cert from within the metadata file to see if you are correct or not.