Saml2RelyingPartyProperties.Signing and Saml2RelyingPartyProperties.Decryption only support unencrypted PEM format for the private key and certificate.
Instead, like other application properties used to provide private keys (e.g. SslProperties), it should support multiple formats, password protection, and ideally a trust store with multiple certificates.