When accepting public keys from someone setting up an identity provider for access to resources protected by a service provider using SAML 2.0, do you absolutely need to have a unique certificate? Is this covered in the SAML specifications?
If they don't, I assume that use of certificates as a layer of defense is rendered void. An example might be someone setting up a test IdP and reusing the certificate for production.