Hi Duc,
To answer your initial question, Federation login will be interrupted, should the signing certificate expires.
Policy Server will fetch and verify the signing certificate validity when signing is required:
Can not sign Assertion with ID: _abc123 Error: Caught an Exception calling signXMLDocument using IXMLSignature. XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 25 03:22:22 PST 2016java.lang.Exception: XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Mon Jan 25 03:22:22 PST 2016
at com.netegrity.smkeydatabase.api.XMLSignatureApacheImpl.signXMLDocument(XMLSignatureApacheImpl.java:302)
at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(XMLDocumentOpsImpl.java:1041)
at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(DSigSigner.java:308)
at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(DSigSigner.java:237)
at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(ProtocolBase.java:325)
at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(AuthnRequestProtocol.java:1616)
at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(AssertionHandlerSAML20.java:262)
at com.netegrity.assertiongenerator.AssertionGenerator.invoke(AssertionGenerator.java:382)
at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:286)
Understood the challenges with the coordination, we have new enhancement in SSO R12.6 release:
Signing key rollover support using secondary verification certificates—You can configure a secondary verification certificate alias at the IdP and SP to verify the signatures on messages. A remote entity can issue a new verification certificate any time. The reasons can include a key being compromise, certificate expiry, or a change in key size. Specifying a secondary verification certificate eliminates the need to coordinate system-wide updates of signing and verification certificates simultaneously.
An entity first tries to verify the message signature with the primary certificate. If the verification fails, the entity uses the secondary certificate for signature verification. The Secondary Verification Certificate Alias field is configurable in the remote IdP and SP configurations and in the Signature and Encryption step of any SAML 2.0 partnership. To aid in troubleshooting, log messages have been added to the Policy Server trace log, smtracedefault.log. Refer to the instructions for configuring an SP-to-IdP partnership to enable these new features.
No secondary certificate option is available for encryption.