...
ShibOnedotThree includes a pair of "trust engine" plugins in both the ! IdP and ! SP. One is a so-called BasicTrustEngine that obtains keys directly from MetaData and does some kind of simple/direct comparison of the keys presented to it to keys found in MetaData.
The second is a ShibbolethTrustEngine that uses MetaData to "indirectly" identify certificates by name, but validates certificates using PKIX path validation rules.
Technically the ! SP includes a third engine, a legacy plugin that consumes a file format for defining keys and path validation rules that was created for ShibOnedotTwo. It is rather confusing to use, has not been documented, and will not be supported in future versions. Existing federations may supply information in that format until all upgrades to ShibOnedotThree are completed. It does complicate the world though.
...