Choose used Identity Provider key


we have configured a SAMS Identity Provider (IdP) and we would like to choose the key/certificate that is used to sign the messages. The idea is to use a different key than the one used by our keycloak to issue tokens.

Is this possible via configuration?
Is this possible in some way by extending the keycloak functionality using a SPI?

One way to tackle this problem at the moment would be to use different algorithms for the realm and the IdP

Any suggestions are appreciated,