...
Formerly <OriginSite> / <Domain> in older Shibboleth versions, this element is found in the <md:Extensions> element of an attribute-supplying role descriptor ( <md:IDPSSODescriptor> , <md:AttributeAuthorityDescriptor>AttributeAuthorityDescriptor>)
Each element identifies a permissible attribute "scope" for the role. Scope is an attribute-specific concept used in Shibboleth to enhance the functionality of the AttributeAcceptancePolicy features.
<shibmd:
...
KeyAuthority>
Formerly <Trust> / <KeyAuthority> <KeyAuthority> in older Shibboleth versions, this element is found in the <md:Extensions> element of the <md:EntitiesDescriptor>EntitiesDescriptor> and <md:EntityDescriptor>EntityDescriptor> elements.
Each element represents a set of input to a certificate path-building operation during transactions involving the roles or system entities contained within the parent element. Each <ds:KeyInfo>KeyInfo> element represents a single trust anchor for such operations, generally an X.509 certificate.
The VerifyDepth attribute controls the maximum path length to allow, using the PKIX-specified definition of path length (which is basically one less than the actual chain length?)
...
SAML MetaData uses the XMLSignature-defined <ds:KeyInfo>KeyInfo> element to represent "keys" in an abstract sense. Keys can take the form of public keys, X.509 certificates, or various indirect key "identifiers" such as certificate subject names. The actual use of keys or certificates is not the domain of MetaData itself, but is a component of how the software uses MetaData to perform TrustManagement.
However, the MetaData implementation in Shibboleth is responsible, to some degree, for processing the <ds:KeyInfo>KeyInfo> element so that its contents can be used by the TrustManagement layer. In ShibOnedotThree, the actual responsibility for this is somewhat shared by the MetaData and TrustManagement components. In ShibTwodotZero (at least in C++), the functionality has been isolated to a new component called a KeyResolver, which turns KeyInfo information into various concrete objects, such as a key, a chain of certificates, or a CRL.
...
The following syntaxes are supported in some fashion.
<ds:KeyName>KeyName><ds:KeyValue>KeyValue>/<ds:RSAKeyValue>RSAKeyValue><ds:KeyValue>KeyValue>/<ds:DSAKeyValue>DSAKeyValue><ds:X509Data>/<ds:X509Certificate><ds:X509Data>/<ds:X509CRL>
...
The following syntaxes are supported in some fashion.
<ds:KeyName>KeyName><ds:KeyValue>KeyValue>/<ds:RSAKeyValue>RSAKeyValue><ds:KeyValue>KeyValue>/<ds:DSAKeyValue>DSAKeyValue><ds:X509Data>/<ds:X509Certificate><ds:X509Data>/<ds:X509CRL><ds:RetrievalMethod>RetrievalMethod>with same document references to any supported element