Currently, regardless of the chosen signature algorithm for a SAML client, Keycloak will accept assertions signed with another algorithm (ex: KC signs with SHA256 but accepts SHA1 from the SP).
With many other IdPs, when a signature algorithm is chosen, there's a validation that the same algorithm is used in both directions. I think this is something that Keycloak should do too as a security measure. This could be configurable.
Feature request opened as requested here: http://lists.jboss.org/pipermail/keycloak-user/2017-February/009515.html