Is it possible for the SP side of a SAML partnership to dynamically get the IdP certificate update for signature?
There's no way for the SP side to retrieve dynamically the IdP signing certificate. There's no way to configure a secondary certificate for signing assertions at the IdP.
The main reason being that the IdP should know exactly which certificate to use. IdP can use only one at a time. So, at a given moment, the IdP should be configured to use the new certificate instead of the old one.
This is what will be done when changing the certificate in the AdminUI.
It's possible to configure secondary certificate SiteMinder for SAML request validation only.
That gives flexibility when the Partner plans to change the certificate. The secondary verification certificate works as a fallback one. This avoids the need to change "simultaneously" the certificate on both sides (1).
The concept of secondary verification certificate is available in other Federation Services vendor too, such as Ping (2).
So, sending the new certificate that is planned to set in the IdP configuration with some time before the change, the Partners might be in a position to set it as a secondary validation certificate, and as such, avoid a downtime.
Make the certificate change at the IdP in a low traffic timeframe.
Note, from version 12.6 of SiteMinder, there's no need to deactivate the partnership when modifying the certificate (3)(4).