...
With no independent authority to define the roots of trust, and no ability to rely on existing roots to sign SAML keys (EV certificates were kind of an exception and those have been killed off anyway), that approach just doesn’t work. The model adopted by Shibboleth and later defined as a SAML standard was based on certificates in XML metadata files that does not require or even allow any evaluation of the certificates themselves. The public keys are what matter.
...
Given a configuration as outlined, the process for future key changes is thus:
Define a new credential bean for the new key.
Define a new SecurityConfiguration bean using the new key.
Publish the new key via federation metadata.
Wait a day.
Change the alias for the “default” signing credential to the new key.
Remove the old key from the federation metadata.
In parallel, start addressing all the other SPs one at a time, flipping the tag value from the old config bean to the new config bean as they are addressed. Once all are done, remove the old credential and config beans and you’re done.
...