ADFS automatically creates a new Token Signing Certificate 20 days before the current token signing certificate expires. ADFS will automatically switch to use the new signing certificate as the primary signing certificate after 5 more days (15 days until the expiry of old signing certificate).
If Vault is not notified of the new certificate used as primary, all attempts to login will fail with a message in the stack trace:
Unable to find a certificate matching the configured fingerprint.
New Token Signing Key Procedure
Once the new key is generated (automatically or manually) the new certificate thumbprint is required to be sent to Vault (firstname.lastname@example.org) for addition to the allowed list of thumbprints. At this stage, both thumbprints will be valid. Once the rollover is complete and the old certificate is removed from ADFS contact support to remove the old thumbprint.
By following this method users should not experience any downtime logging into Vault.