Request from User:
The SAML metadata allows multiple KeyDescriptor elements in RoleDescriptor which should mean that both SPSSODescriptor and IDPSSODescriptor can support multiple encryption keys but it seems OpenAM only uses the first one.
This makes certificate renewals problematic as it means interruption of service to users unless we change the definition at our IdP at exactly the same time as SP updates their systems. If OpenAM would support multiple KeyDescriptors then things would just continue to work when the certificate gets switched.
Current Workaround: disable SP certificate verification on the IdP side.