I recently replaced our Token Signing and Token Decrypting ADFS certificates because they were about to expire, by using the below commands
Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
Update-AdfsCertificate -CertificateType Token-Signing -Urgent
When I did this, it removed the old certificates and creates new certificates that are primary.
At this point, I expected an outage with our relying party until they update their side with our new metadata (They do not consume metadata automatically).
What was interesting was there was no outage and everything still worked without them updating the metadata on their side.
Trying to understand how this is possible.....Shouldn't there have been an outage until they updated their side with the new certs? Wondering if they are bypassing some checking done with the certs?