[OpenSAML] Example for verifying AuthnResponse signature without a KeyInfo

[ke...@baughman.com]

Hi, 

I'm new to SAML, so please forgive any stupid questions. 

I am on the SP side of a SAML AuthnResponse.  It is signed, but 
the Signature doesn't have a KeyInfo element.  However, I do have the metadata file with 
the public signing key.   It seems most of the Signature validation examples assume that 
there is a KeyInfo, so I'm trying to figure out how to use the public key in the metadata file. 
If anyone has an example, please let me know. 

FYI, below is what I'm trying.  It seems to me that it should work but 
I keep getting an invalid signature error.  Can you see anything that 
I'm doing wrong? 

  public void testValidateSignature() throws Exception { 
        DefaultBootstrap.bootstrap(); 

        DOMMetadataProvider mdProvider = getMetadataProvider(); 
        EntityDescriptor entityDescriptor = (EntityDescriptor) mdProvider.getMetadata(); 

        MetadataCredentialResolver mdResolver = new MetadataCredentialResolver(mdProvider); 

        CriteriaSet criteriaSet = new CriteriaSet(); 
        criteriaSet.add(new EntityIDCriteria(entityDescriptor.getEntityID())); 
        criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, null)); 

        Credential signingCredential = mdResolver.resolve(criteriaSet).iterator().next(); 

        Response authnResponse = getAuthnResponse(); 
        Signature signature = authnResponse.getAssertions().get(0).getSignature(); 

        SignatureValidator sigValidator = new SignatureValidator(signingCredential); 
        sigValidator.validate(signature);  // always returns false 
    }