So, new job... I've been tasked with implementing SSO using SAML 1.1. The client provided a document that gives an example of the Response object that will be forwarded into our site when a user goes to login. I'm trying to figure out how to validate the XML that I'm given so that I don't blindly trust that the document hasn't been modified in some way or just faked.

I have the keys (DigestValue and SignatureValue), but when I try to do a sha1 of the xml (minus all the parts in the <Signature></Signature> section, the hash doesn't match.

Does anyone have any experience with this that they might be able to point me in the right direction?