...
Since each key found is evaluated, new keys can be introduced by registering them in metadata, waiting a pre-defined period of time for the change to propagate, and then finally deploying the new signing key.
Known Issues
Currently all versions Versions of the ShibOnedotThree C++ ServiceProvider prior to the latest, 1.3.1, mistakenly ignore any <md:KeyDescriptor> without a use attribute set to "signing". A future patch will correct . 1.3.1 corrects this and permit permits descriptors with no use attribute to be applied.
...
Note: As of version 1.3.1 (currently IdP only), the behavior is now identical to the ExplicitKeyTrustEngine, except that the
<ds:RetrievalMethod>element is not supported. Otherwise, the behavior is as described below.
...