You can store the keys in the Identity Hub, or in Active Directory - providing the logon provider is supported it should work.