SSO Integration | Generic SAML 2.0 | Optional Configuration - Sign SAML authentication request

This is regarding SAML SSO Integration with Cloudflare. I am referring to the below section given under your docs for Generic SAML 2.0

Sign SAML authentication request

This optional configuration signs the Access JWT with the Cloudflare Access public key to ensure that the JWT is coming from a legitimate source. The Cloudflare public key can be obtained at https://<your-team-name>

It has two public keys given. Idp is not sure that which public key will be used by Cloudflare to sign the authentication request. Our Idp is not able to verify the SAML authentication request.

My question is Why there are two public cert keys given in Cloudflare SAML metadata ?

Screenshot attached for the reference-