...
Federation metadata is signed for integrity and authenticity. Participants are strongly encouraged to verify the XML signature on the metadata file before use; failure to do so will seriously compromise the security of your SAML deployment.
The InCommon Federation is based on the Explicit Key Trust Model, one of several possible metadata trust models. To bootstrap the trust fabric of the Federation, participants are required to download and configure the following certificate, which contains the public key corresponding to the Federation's private metadata signing keymetadata verification certificate into their metadata refresh process:
https://wayf.incommonfederation.org/bridge/certs/incommon.pem
The certificate must be obtained securely since all subsequent operations depend on it. You may check the integrity of the downloaded certificate in a variety of ways. For example, you could use openssl after the fact as follows:
...