...
<ds:KeyValue>/<ds:RSAKeyValue>
<ds:KeyValue>/<ds:DSAKeyValue>
<ds:X509Data>/<ds:X509Certificate>
<ds:RetrievalMethod>
with same-document reference to a supported child element
Note that under no circumstances is an X.509 certificate evaluated on any level when resolving a key. If it is a correctly encoded certificate, the signed key will be resolved. Valid or expired certificates issued by any signer with any sort of extensions are acceptable.
...
<ds:KeyValue>/<ds:RSAKeyValue>
<ds:KeyValue>/<ds:DSAKeyValue>
<ds:X509Data>/<ds:X509Certificate>
<ds:RetrievalMethod>
with same-document reference to a supported child element
Note that under no circumstances is an X.509 certificate evaluated on any level by Shibboleth during the operation. Valid or expired certificates issued by any signer with any sort of extensions are acceptable as long as they contain the same key that is presented.
...