...
A SAML IdP is a secure web server that issues SAML assertions to SPs upon request. Assertions are signed by the IdP for authenticity and integrity. The IdP administrator generates a private signing key for this purpose. (The corresponding public key is bound to a long-lived, self-signed certificate published in SAML metadata.) Like the TLS key, the signing key must be generated securely and kept safe indefinitely. A compromised IdP signing key is the absolute worst thing that can happen in a federated context. See: IdP Key Handling
Develop a strategy for securing your private keys before you generate them. Avoid moving them around unnecessary exposure by generating the keys on the IdP in the first place. Strictly control access to the IdP system on which the keys are stored. Keep the IdP software and the underlying operating system software patched and up to date.
...