Also don't forget having to audit each service's API keys/tokens/local users etc to make sure someone hasn't gotten access via a compromised certificate and then created a sneaky API key for them to use in the future.

Basically we had to assume every app had been compromised and rotate every internal key/certificate the was in each one, as well as reconfigure them with a new SAML certificate.