...
The IdP's private signing key is necessarily an online key, that is, it must be available to the IdP software at runtime. An online key can be encrypted, but the password or passphrase to decrypt the key generally has to be available in an unencrypted file so that the IdP service can be restarted in unattended fashion. Therefore it is considerably more vulnerable than an offline key, and must be protected accordingly.
For LoA-1 and LoA-2 IdPs, If the signing key is usually stored in the file system as an ordinary file. This file , it should have proper permissions to prevent unauthorized copying of the private key. For LoA-3 and LoA-4 IdPsstronger protection, the signing key is usually can stored in a hardware security module (HSM) that prevents export of the private key.
...