Is it possible for the SP side of a SAML partnership to dynamically get the IdP certificate update for signature?

Component: FEDMA : SiteMinder Federation(Federation Manager)
Environment: Applicable to all the supported releases

There's no way for the SP side to dynamically retrieve the IdP signing certificate. There's no way to configure a secondary certificate for signing assertions at the IdP.

The main reason is that the IdP should know exactly which certificate to use. IdP can use only one certificate at a time. So, at a given moment, the IdP should be configured to use the new certificate instead of the old one.

This is what happens when changing the certificate in the AdminUI.

It's possible to configure a secondary certificate in SiteMinder for SAML request validation only.

That gives flexibility when the Partner plans to change the certificate. The secondary verification certificate works as a fallback. This avoids the need to change the certificate on both sides "simultaneously" (1).

The concept of a secondary verification certificate is also available in other Federation Services vendors, such as Ping (2).

So, by sending the new certificate planned for the IdP configuration some time before the actual change, Partners might be able to set it as a secondary validation certificate and thus avoid downtime.

Make the certificate change at the IdP during a low-traffic timeframe.
 
Note: From SiteMinder version 12.6, there's no need to deactivate the partnership when modifying the certificate (3)(4).

1. SAML 2.0 Enhancements for a CA Single Sign-On Service Provider
   Enhancements in SAML 2.0 Federation Partnership
   
   
2. How do I change a verification certificate in PingOne for Enterprise?
   How do I change a verification certificate in PingOne
   
   
3. Modify Certificate Settings for an Active SAML 2.0 Partnership
   Modify Certificate Settings for an Active SAML 2.0 Partnership
   
   
4. Certificate Configuration Changes to Active SAML 2.0 Partnerships
   Certificate configuration values