Each FaaS customer gets dedicated, not shared FaaS instance which is, based on customer preferences, localized for their use. In order to do that, each customer must provide us certain minimal resources (such as FQDN for web server, TLS certificate, mail smarthost) which are in detail explained in page on becoming FaaS user (update link).
However, although FaaS customer instance is dedicated, this couldn't be achieved for all of the FaaS infrastructure. Namely, all FaaS instances access key material that's stored in a single "partition" of an HSM. That means all FaaS-using Federations have the same signing key/certificate. That's not a problem per se, as such we enforce strict controls over system access to the machines which is limited only to FaaS operations in order to prevent e.g. one federation from impersonating SAML metadata of another federation. However, if a federation decides to stop using FaaS service, they cannot take the signing key with and as consequence the federation would in this transition need to perform signing key rollover.
...