We’re experimenting a situation where an ADFS Enterprise Connection is being trowing an Invalid thumbprint error, the issue is presenting suddenly () and the current work-around is saving the connection without changing anything. This way the connection works again.
A possible explanation for the mismatch in the certificates would be if the ADFS server in question has switched signing certificates after the connection was configured. When you save the connection and you have provided a metadata URL then that URL is queried to obtain metadata information so this would explain why saving without changes addresses the situation as the save would get the new signing certificate from the metadata URL.
When you provide the metadata URL there’s also a periodic job that will check for updates to the metadata file, however, I’m not sure of the frequency so if the ADFS server completely removed the old certificates and replaced them with completely different ones then there would always be some period of time where the mismatch would occur.
If you already checked that the metadata file does indeed contain the expected certificate being currently used by the ADFS server then at first glance I don’t see other possible root cause. You can check the full config of the ADFS connection by performing a GET request to connection endpoint of the Management API, try uploading the metadata and then checking through this endpoint that the thumbprint configured is the one you would expect.