The Basic engine is found in ShibOnedotThree and extracts keys and certificates directly from MetaData to evaluate signatures or TLS credentials.
...
Since each key found is evaluated, new keys can be introduced by registering them in metadata, waiting a pre-defined period of time for the change to propagate, and then finally deploying the new signing key.
Known Issues
Currently all versions Versions of the ShibOnedotThree C++ ServiceProvider prior to the latest, 1.3.1, mistakenly ignore any <md:KeyDescriptor> without a use attribute set to "signing". A future patch will correct . 1.3.1 corrects this and permit permits descriptors with no use attribute to be applied.
Validating TLS and X.509 Credentials
Note: As of version 1.3.1 (currently IdP only), the behavior is now identical to the ExplicitKeyTrustEngine. Otherwise, the behavior is as described below.
Each <md:KeyDescriptor> is resolved into a certificate chain. The first certificate in the chain (assumed to be the first one in order) is directly compared to the client or server TLS certificate presented. If they match exactly, then the engine returns success.
...