The <CredentialResolver> element configures the component that provides the SP with access to public and private keys and certificates, or credentials. Keys are used to sign messages sent to IdPs or authenticate TLS connections, and to decrypt data sent to the SP.
The credentials used by an SP MUST correspond to those supplied to relying parties and federations in the SP's metadata, or a variety of failures will result.
Changes to credentials must also be carefully choreographed to avoid service interruptions. Supporting IdPs that do not support metadata, or support it propertly, implies a variety of manual workarounds and very careful configuration, or by-fiat imposition of changes (essentially disavowing responsibility for any attendant failures).
The web server within which the SP is deployed also manages its own keys and certificates to establish TLS/SSL connections with browser users. While it is technically possible for the SP software to use the same keypair and certificate used by the web server itself, this is not a good idea. Also note that in the current implementation, only the shibd daemon process needs to access the SP's credentials, so the web server does not need any access to them whatsoever.
Note that multiple CredentialResolvers can be specified (see the Multiple Credentials topic for more detail).
Only one type of credential resolver is available: