I know in SAML protocol, IDP and SP they hold their own key pair, and will not expose their private key to each other.

I assume the realm key below is the IDP key pair, which make sense because private key is not exposed.

But when I turn on "Client Signature Required" in the client settings, the SAML key is generated and the private key is exposed? It means the IDP know the private key that will be used in SP application.

It doesn't make sense, there must be something I got it wrong. Can someone help clarify?

OK, I think I should know the answer.

My thought is correct, client SAML key is used to sign the SAML request, and realm key is used to sign the SAML response.

Client SAML private key should be kept in client's application side, the reason of why keycloak is keeping it, it is because keycloak provide "installation" function, it ease the user to download the adapter configuration.

If private key is not kept in keycloak then user has to input the key value themselves, it then may NOT be that convenient.