All my x509s for SAML signing are self-signed, and all my self-signed certs live for 9999 days and I plan to let someone else figure out the fallout from that as I'm going to be /retired/. No one has ever really complained. Some IdPs I've integrated with use certificates that are signed by public CAs and it's always a hassle because the ergonomics around it are terrible.
IMO, I think rotation is wildly useless too. It might make sense in a world where my signing certificate was decoupled from the metadata someone else has to very likely load by hand.
IMO, I think rotation is wildly useless too. It might make sense in a world where my signing certificate was decoupled from the metadata someone else has to very likely load by hand.