The Shibboleth engine is found in ShibOnedotThree and is a wrapper around the BasicTrustEngine that adds a second layer of code to evaluate certificates against "key names" identified in MetaData and then against a set of PXIX validation rules embedded in a MetaData extension. The implementation is specifically designed to act as a wrapper so that the use of the Shibboleth engine includes the capabilities of the BasicTrustEngine at the same time.
Experience has shown that this engine is significantly more complex to use than the BasicTrustEngine, and it is not recommended for most deployments.
...
Each <md:KeyDescriptor> is resolved into a set of key names. The enclosing entity's unique identifier (it's entityID or providerId) is also treated as a key name. When a TLS connection is being initiated, the destination hostname is also implicitly a key name. The certificate being evaluated is then matched against this set of names.
...
Currently all versions of the ShibOnedotThree C++ ServiceProvider mistakenly ignore any <md:KeyDescriptor> without a use attribute set to "signing" when determining valid key names. A future patch will correct this and permit descriptors with no use attribute to be applied.
...