A TrustEngine implements a TrustManagement strategy and is responsible for answering two types of runtime questions:
...
At any given time that one of these question is asked, the issuer of the message or presumed owner of the credential must be known. Going further, the "role" in which the entity is acting must also be known, to enable entities to wield different keys when acting in different ways. This breakdown aligns with the SAML 2.0 MetaData design, which assigns key information to entity roles, not directly to entities.
Known TrustEngines
ShibOnedotThree includes a pair of "trust engine" plugins in both the IdP and SP. One is a so-called BasicTrustEngine that obtains keys directly from MetaData and does some kind of simple/direct comparison of the keys presented to it to keys found in MetaData.
...