...
Metadata signature verification is done against the public key alone. If the public key for the federation metadata feed channel is supplied in the form of an X.509 certificate, other aspects of the certificate such as its expiry date do not form part of signature verification. This approach is in accordance with borrowed from the SAML metadata interoperability profile. In particular an expired certificate will still be used for the verification purpose.
...