When verifying a signature of a message it is recommended to first validate the message with a SAML profile validator. This to ensure that the signature follows the standard for XML signatures. Afterwords the cryptography validation of the signatureis done by a SignatureValidator.
PS. This validation only performs a cryptographic validation of the signature. This means that it validates that the message has not been changed since it was signed. It does however not check that the certificate used for signing is trusted. To confirm the trust of the certificate in OpenSAML, a trust engine must be used in the validation.
The most common method to confirm the trust of a key is to compare it to the key recieved in SAML Metadata. This is generally done as a configuration step when setting up a SAML federation. This post gives more information on SAML Metadata
Here is a full example of the crytographic validation.
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); profileValidator.validate(entityDescriptor.getSignature()); SignatureValidator sigValidator = new SignatureValidator(cred); sigValidator.validate(entityDescriptor.getSignature());SignatureValidator is instansiated with a credenial. in this case the credential basically contains the public key for the private key that was used to sign the message.
The credetial object can be obtained in a number of different ways. This post shows some methods in OpenSAML.
If the public key was sent in the message, it is very important to validate that you trust the key.
My book, A Guide to OpenSAML, explains in detail how to use the security features of SAML and much more.