The Basic engine is found in [ShibOnedotThree] and extracts keys and certificates directly from MetaData to evaluate signatures or TLS credentials.
...
Currently all versions of the [ShibOnedotThree] C++ ServiceProvider mistakenly ignore any <md:KeyDescriptor>
without a use
attribute set to "signing". A future patch will correct this and permit descriptors with no use
attribute to be applied.
...
In addition, the IdP as of version 1.3.1 now extracts the public key from the TLS certificate and compares it to the key in the certificate in the metadata, as in the new [ExplicitKeyTrustEngine].
The following <ds:KeyInfo>
children can be resolved into keys without additional plugin support:
...