An error like this means that there is something wrong with the certificates. Indeed by creating a fresh iDP setup the certificates are refreshed so everything starts working again. Is the metadata refreshed daily and does that work correctly? Is it true that the certificates indeed have been changed? Because if the certificates have not been changed something strange is going on.
Regards,
Ronald
If you look inside <IDPSSODescriptor> it contains 3 signing certificates. Could it be that the validation exceptions occurred around these dates?
Common Name: accounts.accesscontrol.windows.net
Valid From: March 13, 2019
Valid To: March 13, 2021
Serial Number: 59cabce0275584a54470a6d974c38c1a
Common Name: accounts.accesscontrol.windows.net
Valid From: January 31, 2019
Valid To: January 31, 2021
Serial Number: 3fcb1457885fd99c4f7f0e430743bd0a
Common Name: login.microsoftonline.us
Valid From: October 13, 2018
Valid To: October 13, 2020
Serial Number: 7c45a54d5735b8834473d4418baa8732
Did you resolve the problem? What was the resolution? We are hitting the identical issue in production.