In Service Provider (SP) initiated SAML, a SAML request is prepare by the SP. The SP digitally signs the request using a private key. When the request is received by the Identity Provider (IdP), the digital signature is verified using the public key sent by the SP in a certificate. Certificates are self-signed or signed by a certification authority (CA).
A Java keystore file stores the certificate and the private key. To create the Java keystore file, use the keytool utility, the Java key and certificate management tool. For more information on the keytool utility, go to the Oracle Documentation website, keytool - Key and Certificate Management Tool.