The Saml Signing Certificate included in the SP Metadata appears to only be valid for one year, after which the Customer may be presented with a message in the Citrix Admin Portal as follows..
It looks like a two-week notice period is given as upon checking the certificate Expiry was for exactly two weeks after the date given in the message above,
There is an article written by Citrix telling you how to fix this... https://support.citrix.com/article/CTX560704/saml-signing-certificate-rotation-required-before-expiration
However what you probably just need to do is download the SP metadata again, by following steps 6 - 10 in this wiki guide DualShield Preparation for Citrix Workspace.
Please note for step 9 except you click on View instead of Connect..
The SP metadata file will contain the old certificate and the new certificate string..
..This is because the new certificate is not valid until the old one expires!
Copy the contents of the new metadata the go to SSO>Service Providers on Dualshield Admin Console, edit the entry for Citrix Cloud.
Then Edit Medata
Delete the existing metadata, then paste the new metadata in here...
Click Save
Click Save again on the Service Provider edit screen.