Difference between certificate of a website and a SAML certificate?

It's used to produce a signed document. The certificate that's in the IdP's metadata is used to sign the SAML tokens ("assertions") that are issued by the identity provider (IdP) and transferred to the service provider (SP).

As the assertion is transferred through the user's web browser, it has to be protected against the user tampering with it (e.g. so that the user couldn't add more groups or other attributes), so it is digitally signed using the IdP's private key, and the SP verifies that signature before allowing you to log in.

In other words, if SAML assertions are roughly equivalent of signed JWT tokens in OIDC, then the certificates are used like JWT signing keys.

_{(Actually, you could perhaps call the SAML assertion a "certificate" and the issuing IdP a "certification authority"...)}

Additionally, the SP could also have its own certificate, which the IdP could use to encrypt the assertion (e.g. if it contains internal data that shouldn't leak to the user, like shadowban status, or just to minimize exposure, like SSNs). This is optional.

Another reason for SPs to have their own certificates is so that they could sign logout requests that are sent back to the IdP. The SAML2 protocol supports "single logout", where logging out from one SP logs you out from all others as well as the IdP itself, but this protocol involves a long chain of redirects through locations that might not necessarily trust each other.

Side note: Even though certificates in SAML are the same kind of "signed document" as in TLS, one big difference is that in most cases, SAML certificates are self-signed and the SP only cares about the exact public key, ignoring all other fields. (Really, the biggest reason X.509 certificates are used is because SAML uses the pre-existing XML-DSig standard, and all tools/libraries expect to deal with certificates.) Though this is not to say that they couldn't be CA-issued; that's supported but rarely needed.