Once a year, ADFS must change it's Token Signer Certificate. 2 weeks before the expiration of it's old on, ADFS creates a second new one. Connected application will detect this second one and will change their configuration automatically.
HCL Domino doesn't have that capability.
Please add this functionality in Domino.
If you don't update your configuration when this Token Signer Certificates changes, the Notes Clients and Webusers cannot use SAML anymore for SSO and receive an error: "Document has been modified or corrupted since signed! (signature)".
On the SAML log you see: "SECCheckAndParseSAMLResponse> Exiting : Document has been modified or corrupted since signed! (signature)"