The SAML certificate has expired two years ago and O2 has not tagged this.

The user's IdP supplies the certificate.  This certificate is uploaded to DX O2 during setup.  When a user logs in, that certificate is sent and if it matches with the one in their tenant, then they are allowed to login.  If the certificate is expired and the customer's IdP continues to send an expired certificate, as long as it matches, they will be able to login.

NOTE: DX O2 does not check if the certificate is expired.  This is entirely up to the user's IdP to notify the user that the certificate has expired.