...
- Add a new
<md:KeyDescriptor use="signing">element to IdP metadata. - Wait for the newly updated metadata to propagate throughout the Federation. Two weeks is safe, although longer times may be needed, depending on the operational practices of your partners.
- Configure the IdP software to use the new key (instead of the old key) as the signing key and/or back-channel TLS key.
- Remove the old
<md:KeyDescriptor use="signing">element from IdP metadata.
...