Keycloak uses the realm keys to construct the metadata for both the SPSSODescriptor and the IDPSSODescriptor descriptors. The realm keys that are intended for the purpose of encryption (shown as "ENC" use in the admin console) and that match the possible encryption algorithms (e.g. RSA-OAEP) are included in the SPSSODescriptor. The realm keys that are intended for signing operations (shows as "SIG" in the admin console) are included in the IDPSSODescriptor. For example, if you add a new "rsa-enc-generated" key as a key provider in the realm keys, Keycloak will include it in the SPSSODescriptor.