Verifying SAML SSO responses...

["Peter W. Morreale" <pmorreale@novell.com>]

Hello all,

I'm writing a SAML security filter for a Erlang Yaws server we are
developing.  I'm to the point where I have a SAMLResponse in response to
a Auth request.  At the moment I'm using a simplesamlphp instance as an
Idp.  

I've been reading the processing rules in the OASIS saml-profiles-2.0-os
spec (4.1.4.3), however I'm confused by line 574 which says to verify
any signatures present in the assertion(s). 

I see the signatures in the response XML, however I don't know what I
need to do to very the "signatures".  Can someone explain, or point me
to a resource?  

I do have all the OASIS specs, and have read them several times, but I
don't recall seeing where this was explained.

Its a brave new world.  ;-)

Thanks,
-PWM