When verifying a signature of a message it is recommended to first validate the message with a SAML profile validator to ensure that the signature follows SAML standard. Afterwords the cryptography validation of the signature can be done by a SignatureValidator.
PS. This validation only performs a cryptographic validation of the signature. It does not check the certificate used for signing against any trusted CA.
To confirm the validity of the certificate a trust engine must be used in the validation.
Here is a full example of the crytographic validation.
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); profileValidator.validate(entityDescriptor.getSignature()); SignatureValidator sigValidator = new SignatureValidator(cred); sigValidator.validate(entityDescriptor.getSignature());SignatureValidator is instansiated with the credenial is basically the public key for the private key for which the message should have been signed with.
This could have been extracted from metadata or it could have been sent in the SAML message. If the public key was sent in the message, it is very important to validate the key against a CA.