Two signing certs in SP MetadataProvider section?
makst at upenn.edu
Thu Jan 14 19:11:14 UTC 2021
XML signing cert and the response/assertion signing cert are not necessarily the same thing.
You should be explicitly clear with the IDP which cert is being updated.
There's a strong chance "updating their signing certificates" means just the response/assertion signing certs are changing and NOT the XML signature pub cert.
Typically you can compare the hinted cert from within the metadata file to see if you are correct or not.
More information about the users