Just linking my ticket here Support multiple signing keys for enterprise SAML connection
In my case we have a cronjob that inspects the metadata endpoint every 15 minutes and updates the certificate accordingly. That has been working really great with Azure AD up until recently when they started alternating between two valid certificates prior rotation, hence the need of having more than one certificate configured for the enterprise SAML connection in Auth0.