If Vault is not notified of the new certificate is used as primary without notifying Vault all attempts to login will fail with a message in the stack trace:
Unable to find a certificate matching the configured fingerprint.
New Token Signing Key Procedure
Once the new key is generated (automatically or manually) the new certificate thumbprint is required to be sent to Vault (firstname.lastname@example.org) for addition to the allowed list of thumbprints. At this stage, both thumbprints will be valid. Once the rollover is complete and the old certificate is removed from ADFS contact support to remove the old thumbprint.
By following this method users should not experience any downtime logging into Vault.