TrustEngine

The <TrustEngine> element configures the trust engine used by the SP to authenticate the security messages it receives. It works in conjunction with the security policy layer to secure the system.

If omitted a chain of the ExplicitKey and PKIX engines is used.

Types

Three types of trust engine are available by default, these are distinguished by the type="" attribute.

Type

Description

Type

Description

ExplicitKey

Extracts keys to trust directly from the metadata of the peer.

PKIX

Extracts key identifiers (i.e. certificate names) to trust from the metadata of the peer, but also extracts sets of trust anchors from a special metadata extension and then applies path validation to candidate certificates.

StaticPKIX

Extracts key identifiers (i.e. certificate names) to trust from the metadata of the peer, and then applies path validation to candidate certificates based on a static list of trust anchors.

The difference from the previous engine is that the list of anchors is fixed and does not vary based on whose credentials are being examined.

Common Attributes

Name

Type

Default

Description

Name

Type

Default

Description

type 

string

Required

Plugin type name.

Common Child Elements

Name

Cardinality

Description

Name

Cardinality

Description

<KeyInfoResolver> 

0 or 1

Advanced plugin interface for mapping <ds:KeyInfo> elements into keying material. Mostly for future use.