Actually, that is not completely correct.
As I told you yesterday, in my lab, I tried to update the IdP config using a new FederationMetadata.xml in which i changed the certificate.
Using a real certificate, the signing certificate string in my saml.config has been overridden.
In this test, I used two totally different certificate: the first one was the one imported from the metadata xml, the second one was a valid one but obtained from another client.
It was just another base 64 cert string, issued by another CA for another customer.
Yesterday, the client that wants to update the certificate sent to us the new FederationMetadata.xml with the new certificates.
I tried to import it as it was and.. it was added to the PartnerIdp certificates along with the old one! And that is exactly what i wanted.
You can see this behaviour in the image where you see both the sign certificates.
Could you please explain to me how it works? When the certificate is overridden and when it is added with the others?