According to the NAM documentation the IDP is able to handle multiple certificates for a single SAML2 service provider (specified in the SPs metadata).
In order to select the correct certificate during the authentication process the SAML request needs to contain a "KeyInfo" attribute. Without the "KeyInfo" attribute being specified the IDP responds with a "RequestDenied".
However, even with "Debug" logging enabled the IDP log (catalina.out) does not specify any problem details if the "KeyInfo" attribute is missing.
The IDP logging should be extended to show a respective error message as soon as a request is denied due to a missing "KeyInfo" attribute.