If your SAML Certificate is changing in your IDP (or has changed and you've lost access to Canvas via SSO) there are a couple of ways that you can easily ensure that users don't lose access to Canvas (or restore access).
Ensure that a Root Account Canvas Admin has a local Canvas login to update your authentication configs if you ever lose SSO access. (<canvas_domain>/login/canvas)
Check your SAML configuration page in Canvas. If you have an IDP Metadata URI populated in your Canvas config, Canvas will auto pull new certificates and calculate both the old and new fingerprints nightly.
Multiple Fingerprint support is indicated by fingerprints separated by spaces in the Canvas UI.
If your IDP Metadata URI field isn't populated it may be because the auto parsing of the fields didn't correctly populate your metadata fields.
You can populate the Certificate field manually with either a formatted or non-formatted fingerprint matching your message signing encryption method in Canvas. Use SHA1 for fingerprint calculation if your Message Signing is "Not Signed".
If you are unsure of your fingerprint you can calculate it by following the instructions below.
How to Calculate a SAML Fingerprint
Open your IdP metadata xml file in a text editor or using Google Chrome or Firefox.
If you've lost access to Canvas, use the SAML debugger ("Start Debugger" on the Canvas SAML config) and initiate a login.
If Validation Error = "no trusted signing key found" then you need to update your fingerprint.
Scroll down to IdP Login Response Decrypted and you can view the <X509Certificate> and follow the next steps.
Copy the data contained between the <ds:X509Certificate> (or <X509Certificate> in debugger)