ADFS uses 2 tokens : token-signing and token-decryption certificate. Both are renewed periodically. IBM Domino relays on idpcat.nsf for SAML. It contains IDP config documents. Each IDP config document contains FederationMetadata.xml imported. ADFS renews it's certificates in advance and allows federation partners to prepare for use of new certificates.
IDP config document allows to import FederationMetadata.xml file. Once it is imported then SAML is working on Domino. However once ADFS generates new certificates then new FederationMetadata.xml should be imported. However Domino administrator cannot do that until ADFS starts using new certificate. Let's say ADFS will start using new certificates 2020.01.01 00:00 . In that case Domino will stop authenticate SAML users at 2020.01.01 00:00. It will do so until Domino administrator imports new FederationMetadata.xml . If there are more than 1 Domino server, let's say 10, then it will take about 1 hour for Domino administrator to import new FederationMetadata.xml to each IDP Config document and replicate changes to each server and restart HTTP of each server and test each server. So end users will not be able authenticate for 1 hour.