See also: SAML Request certificates https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/859406364
Occasionally when the SAML response certificate expires, you will have to update this on the IdP end. This process will vary from identity provider to identity provider. After a new key for SAML response signing is created in your IdP, you will have to install the certificate in Kantega SSO either by refreshing metadata (on the page Identity Providers > Your SAML IdP > Metadata), or installing the new certificate (on the page Identity Providers > Your SAML IdP > URLs and cert for IdP setupIdp trust certificate).
This guide explains how to update SAML Response certificates in AD FS.
...