>Does this mean that Jenkins master doesn't have personal private key to talk to idP?
The plugin creates a key pair automatically and stores them in "JENKINS_HOME/saml-jenkins-keystore.jks", then store the data related into "JENKINS_HOME/saml-jenkins-keystore.xml", you can grab the public key from "JENKINS_HOME/saml-sp-metadata.xml".
>Could you please just in steps say what I need to back up, and how to restore?
You need the following files to restore the SAML configuration
- Also you need the same secret.key, if not the configuration is impossible to unencrypt
but in any case, you use to make a backup of your full JENKINS_HOME to make your Jenkins instance work properly (not only SAML Plugin), I recommend you to take a look at this CloudBees KB https://support.cloudbees.com/hc/en-us/articles/216241937-Migration-Guide-CloudBees-Jenkins-Platform-and-CloudBees-Jenkins-Team-