To expand on Ronald's answer: the SAML module tries to use the JVM keystore. The CredentialRepository class from package saml20.implementation.security contains the following code:

    private static KeyStore loadJVMKeyStore() throws KeyStoreException,
            NoSuchAlgorithmException, CertificateException,
            FileNotFoundException, IOException {
        KeyStore keyStore = KeyStore.getInstance("JKS");

        String keyStoreResource = System.getProperty("javax.net.ssl.keyStore");

        if (keyStoreResource != null) {
            // applicable if certificates have been manually added to the server
            // (e.g. in the Mx modeler or in the cloud)
            File keyStoreFile = new File(keyStoreResource);

            if (jvmKeyStorePW == null) {
                jvmKeyStorePW = System.getProperty("javax.net.ssl.keyStorePassword");
            }

            keyStore.load(new FileInputStream(keyStoreFile),
                    jvmKeyStorePW.toCharArray());
        } else {
            // create a new store when no certificates have been manually added
            // to the server
            if (jvmKeyStorePW == null) {
                jvmKeyStorePW = saml20.proxies.constants.Constants.getKeystorePassword();
            }
            keyStore.load(null, jvmKeyStorePW.toCharArray());
        }
        return keyStore;
    }