The <TrustEngine> element configures the trust engine used by the SP to authenticate the security messages it receives. It works in conjunction with the security policy layer to secure the system.
If omitted on V2.4 and above, a chain of the ExplicitKey and PKIX engines is used.
type (string)
<KeyInfoResolver> (optional)
<ds:KeyInfo> elements into keying material. Mostly for future use.Identified by type="Chaining", applies one or more trust engines in sequence to authenticate a message. Allows multiple approaches to be combined.
With V2.4 and above, this is implied by any configuration with multiple <TrustEngine> elements, so is no longer explicitly needed.
<TrustEngine> (one or more)
Identified by type="ExplicitKey", extracts keys to trust directly from the metadata of the peer.
For detailed information about how this engine works, see the ExplicitKeyTrustEngine topic.
Identified by type="PKIX", extracts key identifiers (i.e. certificate names) to trust from the metadata of the peer, but also extracts sets of trust anchors from a special metadata extension and then applies path validation to candidate certificates.
For detailed information about how this engine works, see the PKIXTrustEngine topic.
Identified by type="StaticPKIX", extracts key identifiers (i.e. certificate names) to trust from the metadata of the peer, and then applies path validation to candidate certificates based on a static list of trust anchors.
The difference from the previous engine is that the list of anchors is fixed and does not vary based on whose credentials are being examined.
verifyDepth (integer) (defaults to 1)
certificate (local pathname)
checkRevocation ("off", "entityOnly", "fullChain") (defaults to "off") (Version 2.4 and Above)
<CredentialResolver> (optional)