...
This topic discusses the proper handling of the IdP's private signing key. The corresponding public key is bound to an X.509 a self-signed certificate in IdP metadata. Note that a signing key may be used for more than just signing, as discussed in the Key Usage topic. See the TLS Server Certificates topic regarding keys and certificates used for browser-facing TLS.
...
You need to go back to day one of the total lifetime of each of your private keys and ask the following question: Has this key been under my positive control at all times? If the answer to that question is anything other than yes, the key should be considered compromised. This requires you to securely generate a new private key and to systematically migrate the corresponding public key certificate out of into metadata. See the Certificate Migration topic for safe instructions how to do this.
...